§ 24 BlnDSG
Right of Access of the Data Subject
(1)Without prejudice to Section 17(4), the right of the data subject to access pursuant to Article 15 of Regulation (EU) 2016/679 shall not apply where the provision of information must yield to the public interest in confidentiality or to an overriding interest of third parties in confidentiality for compelling reasons. A case within the meaning of sentence 1 shall exist in particular where the provision of information 1. would jeopardise public safety or would otherwise cause substantial disadvantages to the interests of the Federation or a Land, 2. would jeopardise the prosecution of criminal offences and administrative offences, or 3. would lead to the disclosure of facts that, pursuant to a legal provision serving the public interest or for the protection of the rights and freedoms of other persons, must be kept confidential. The data subject may not request access to personal data that are stored exclusively for purposes of data security or data protection control and whose processing is excluded by suitable technical and organisational measures.
(2)Where the access request relates to personal data that have been transmitted by bodies of the Office for the Protection of the Constitution, the courts, the public prosecution service and the police, or by Land tax authorities insofar as they store personal data for purposes of the prevention, investigation, detection or prosecution of criminal offences or for purposes of criminal prosecution, as well as by the Federal Intelligence Service, the Military Counter-Intelligence Service and, insofar as the security of the Federation is concerned, by other authorities within the purview of the Federal Ministry of Defence, access shall only be permissible with the consent of those bodies. The same shall apply to the provision of access concerning the transmission of personal data to those bodies. Personal data of the data subject may be processed to the extent necessary for this purpose. Consent pursuant to sentences 1 and 2 may only be refused where this is necessary for the protection of the interests referred to in Article 23(1)(a) to (e) of Regulation (EU) 2016/679.
(3)The full or partial refusal of a request for access shall not require a statement of reasons insofar as providing the reasons would jeopardise the purpose of the refusal. Both the decision on the refusal of the request for access and the decision on refraining from providing reasons shall be the responsibility of the head of the controller. This decision may be delegated to a person directly subordinate to the head. The reasons for the refusal shall be documented. Where the request for access is refused, the controller shall inform the data subject that they may also exercise their right of access through the Berlin Commissioner for Data Protection and Freedom of Information. Where the data subject exercises their right pursuant to sentence 5, access shall, at their request, be granted to the Berlin Commissioner for Data Protection and Freedom of Information, unless the competent supreme Land authority determines in the individual case that this would jeopardise the security of the Federation or a Land. The Berlin Commissioner for Data Protection and Freedom of Information shall at least inform the data subject that all necessary reviews have been carried out or that a review by the Commissioner has taken place. This communication may contain the information whether data protection violations have been established. The communication of the Berlin Commissioner for Data Protection and Freedom of Information to the data subject shall not allow conclusions to be drawn about the state of knowledge of the controller, unless the latter has consented to more extensive disclosure.
(4)Where access is omitted in the cases of paragraph 1 on account of a temporary impediment, the controller shall comply with the duty to provide access within a reasonable period after the impediment ceases, taking into account the specific circumstances of the processing, but no later than within two weeks.
(5)The right of the data subject to access personal data that are processed by a public body by non-automated means shall only exist insofar as the data subject provides information that enables the data to be located and the effort required to provide access is not disproportionate to the information interest asserted by the data subject.
(6)Where personal data are stored in files, the data subject may, in addition to the access pursuant to Article 15 of Regulation (EU) 2016/679, request inspection of the files from the processing body. Where the files are not kept on the data subject, indications for locating the personal data stored on the data subject may be required, if locating them is otherwise not possible or would only be possible with disproportionate effort. Inspection shall, as a rule, not be permissible where the data of the data subject are so interconnected with data of third parties or confidential non-personal data that their separation according to different purposes, including by copying and rendering anonymous, is not possible or is possible only with disproportionate effort. Otherwise, paragraphs 1 to 3 shall apply accordingly to the refusal of inspection of files.
(7)The Senate shall submit a report to the House of Representatives by 30 June 2020 on the application of paragraphs 1 to 5.
(8)The Court of Auditors shall not be obliged to provide access pursuant to Article 15 of Regulation (EU) 2016/679 insofar as it processes personal data in the context of its independent activities. zur Einzelansicht § 24