§ 51 NDSG
Right of access
(1)1The controller shall, upon request, provide data subjects with access to the following:
(2)the personal data which are the subject of the processing and the category to which they belong,
(3)the purpose and the legal basis of the processing,
(4)the available information about the origin of the data,
(5)the recipients or the categories of recipients to whom the personal data have been disclosed, and
(6)the storage period applicable to the data or, where this is not possible, the criteria for determining that period.
(7)2The controller shall inform the data subject of his or her rights to rectification, erasure or restriction of processing of personal data by the controller and of the existence of the right pursuant to § 55 to lodge a complaint with the authority headed by the Land Commissioner for Data Protection, as well as that authority's contact details.
(8)Paragraph 1 shall not apply to personal data processed exclusively for purposes of ensuring data security or data protection control, where processing for other purposes is excluded by appropriate technical and organisational measures and providing access would require disproportionate effort.
(9)1The controller may restrict or refuse access insofar as and as long as
(10)the access would jeopardise the performance of the tasks referred to in § 23,
(11)the access would endanger public security or otherwise prejudice the welfare of the Federation or a Land, or
(12)the access would jeopardise the interests of another person in confidentiality,
(13)unless the information interest of the data subject outweighs the interest in avoiding those risks. 2Access may also be restricted or refused insofar as and as long as the data or the fact of their storage must be kept confidential pursuant to a legal provision.
(14)1Where access relates to personal data that have been transmitted to the constitutional protection authorities, the Federal Intelligence Service, the Military Counter-Intelligence Service, and, insofar as the security of the Federation is affected, other authorities of the Federal Ministry of Defence, it shall be permissible only with the consent of those bodies. 2Sentence 1 shall apply mutatis mutandis to personal data transmitted by an authority referred to in sentence 1.
(15)1The controller shall inform the data subject in writing without undue delay of the refusal or restriction of access. 2The refusal or restriction of access pursuant to sentence 1 shall be accompanied by reasons, unless stating the reasons would defeat the purpose pursued by the refusal or restriction of access. 3Insofar as the refusal or restriction of access is not accompanied by reasons pursuant to sentence 2, the reasons shall be placed on record.
(16)1Where the data subject is informed pursuant to paragraph 5 of the refusal or restriction of access, the data subject may also exercise his or her right of access through the authority headed by the Land Commissioner for Data Protection. 2The controller shall inform the data subject of this possibility and that he or she may, pursuant to § 55, lodge a complaint with the authority headed by the Land Commissioner for Data Protection or seek judicial redress. 3At the request of the data subject, the controller shall provide the authority headed by the Land Commissioner for Data Protection with the requested access and the reasons documented pursuant to paragraph 5 sentence 3 for the refusal or restriction of access, unless an exclusion ground pursuant to § 57(7) sentence 1 applies. 4The authority headed by the Land Commissioner for Data Protection shall at least inform the data subject that all necessary reviews have been carried out or that a review by it has taken place, or of the reasons why a review has not taken place. 5This communication may contain information on whether data protection violations have been established. 6The communication of the authority headed by the Land Commissioner for Data Protection to the data subject shall not permit conclusions to be drawn about the state of knowledge of the controller, unless the controller consents to a more extensive disclosure. 7The controller may refuse consent only insofar as and as long as he or she could refrain from or restrict access pursuant to paragraph 3.