§ 52 HDSIG
Right of Access
(1)The controller shall, upon request, inform data subjects whether he or she is processing data concerning them. Data subjects shall furthermore have the right to obtain information on 1. the personal data that are the subject of processing and the category to which they belong, 2. the available information about the origin of the data, 3. the purposes of the processing and the legal basis therefor, 4. the recipients or categories of recipients to whom the data have been disclosed, in particular recipients in third countries or international organisations, 5. the storage period applicable to the data or, where this is not possible, the criteria for determining that period, 6. the existence of a right to rectification, erasure or restriction of processing of the data by the controller, 7. the right pursuant to § 55 to call upon the Hessian Data Protection Commissioner, and 8. the contact details of the Hessian Data Protection Commissioner.
(2)Para. 1 shall not apply to personal data that are only processed because they may not be erased due to statutory retention requirements, or that serve exclusively the purposes of data security, data protection monitoring or ensuring the proper operation of a data processing system.
(3)The right of the data subject to access personal data that are neither processed by automated means nor processed by non-automated means and stored in a filing system shall only exist insofar as the data subject provides information enabling the data to be found and the effort required for the provision of access is not disproportionate to the information interest of the data subject. Instead of access to personal data, the data subject may be granted inspection of the files.
(4)Under the conditions of § 51 para. 2, the controller may refrain from providing the access under para. 1 sentence 1 or may partially or fully restrict the provision of access under para. 1 sentence 2.
(5)Where the provision of access relates to the transfer of personal data to constitutional protection authorities, the Federal Intelligence Service, the Military Counter-Intelligence Service and, insofar as the security of the Federation is affected, other authorities of the Federal Ministry of Defence, it shall only be permissible with the consent of those bodies.
(6)The controller shall inform the data subject in writing without undue delay of the refusal of or restriction on access. This shall not apply where even the provision of this information would entail a risk within the meaning of § 51 para. 2. The information under sentence 1 shall be reasoned, unless the communication of the reasons would jeopardise the purpose pursued by the refusal of or restriction on access.
(7)Where the data subject is informed under para. 6 of the refusal of or restriction on access, he or she may also exercise the right of access through the Hessian Data Protection Commissioner. The controller shall inform the data subject of this possibility and of the fact that he or she may call upon the Hessian Data Protection Commissioner pursuant to § 55 or seek judicial remedy. The Hessian Data Protection Commissioner shall inform the data subject that all necessary checks have been carried out or that a review by him or her has taken place. The communication of the Hessian Data Protection Commissioner to the data subject may not allow conclusions to be drawn about the state of knowledge of the controller, unless the controller consents to further disclosure. The Hessian Data Protection Commissioner shall also inform the data subject of his or her right to judicial remedy.
(8)The controller shall document the factual or legal reasons for the decision. zur Einzelansicht § 52