Article 32
Right to information
Right to Information under DSA
The DSA source material suggests this content addresses information rights specific to digital services, which may differ from AI Act information requirements and warrant a dedicated DSA-specific topic.
right to information information rights user information service provider information content moderation information algorithm information platform information transparency information
Overview
Legal Framework
Article 32 of the Digital Services Act (DSA) establishes the right to information for recipients of digital services. It mandates that providers of intermediary services, upon receiving a reasoned order from a national judicial or administrative authority, must inform the authority of the identity of the recipient to whom they provided the service. This applies when the authority is seeking information for the purposes of detecting, investigating, and prosecuting criminal offences.
Practical Application
This provision creates a conditional disclosure obligation for service providers. The right is not absolute; it is triggered only by a formal, reasoned order from a competent authority for a specified law enforcement purpose. The legal interpretation of such information requests is guided by principles established in prior case law, such as Dennekamp v. European Parliament. This case underscores that any disclosure involving personal data requires a necessity test, meaning the authority must demonstrate that the transfer is the most appropriate and proportionate measure to achieve its stated goal. In practice, providers must verify the order's validity, its reasoned justification, and its compliance with data protection principles before disclosing any recipient information.
Key Considerations
- Validate the Legal Order: Service providers must establish internal procedures to authenticate any incoming Article 32 request, ensuring it originates from a competent national authority and contains the required reasoned justification.
- Conduct a Necessity and Proportionality Assessment: Prior to disclosure, providers should assess whether the request meets the threshold established in case law (e.g., Dennekamp), confirming the disclosure is necessary and proportionate for the stated criminal investigation purpose.
- Integrate with Data Protection Compliance: The disclosure process must be aligned with GDPR requirements. This includes ensuring a valid legal basis for processing (such as compliance with a legal obligation) and implementing appropriate safeguards for the data transfer.
Laws (2)
Case Law (1)
Guidance (14)
Guidelines 02/2021 on virtual voice assistants
Guidelines on virtual voice assistants
A virtual voice assistant (VVA) is a service that understands voice commands and executes them or mediates with other IT systems if needed. VVAs are currently available on most smartphones and tablets, traditional computers, and, in the latest years, even standalone devices like smart speakers. VVAs act as interface between users and their computing devices and online services such as search engines or online shops. Due to their role, VVAs have access to a huge amount of personal...
VERSIEGESCHIEDENIS
binding corporate rules voor verwerkingsverantwoordelijken
Richtsnoeren van 1/2018 voor certificering en het vaststellen van certificeringscriteria overeenkomstig de artikelen 42 en 43 van de verordening
guidelines certificering
Versiegeschiedenis
guidelines doorgifte van persoonsgegevens tussen overheidsinstanties en -organen binnen en buiten de EER
Richtsnoeren 02/2021 inzake virtuele spraakassistenten
guidelines over virtuele spraakassistenten
Een virtuele spraakassistent ( virtual voice assistant , of VVA) betreft een dienst die spraakgestuurde opdrachten begrijpt en uitvoert, of indien nodig als tussenschakel optreedt naar andere IT-systemen. Tegenwoordig is een VVA als optie beschikbaar op de meeste smartphones, tablets en reguliere computers en sinds enkele jaren zelfs op losse apparaten zoals smartspeakers. Een VVA functioneert als schakel tussen de gebruiker en zijn apparaat of een online dienst zoals een zoekmachine...
GROEP GEGEVENSBESCHERMING ARTIKEL 29
guidelines transparantie
Guidelines 06/2020 on the interplay of the Second Payment Services Directive and the GDPR
Guidelines on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR
Versiegeschiedenis
guidelines recht op inzage
Richtsnoeren 10/2020 met betrekking tot de beperkingen krachtens artikel 23 AVG
guidelines beperkingen rechten van betrokkenen
Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation
Guidelines on certification and identifying certification criteria
Guidelines 4/2019 on Article 25 Data Protection by Design and by Default Version 2.0 Adopted on 20 October 2020
Guidelines on data protection by design and by default
Guidelines 01/2022 on data subject rights - Right of access
Guidelines on data subject rights - Right of access
The right of access of data subjects is enshrined in Art. 8 of the EU Charter of Fundamental Rights. It has been a part of the European data protection legal framework since its beginning and is now further developed by more specified and precise rules in Art. 15 GDPR.
Guidelines 10/2020 on restrictions under Article 23 GDPR
Guidelines on restrictions under Article 23 GDPR
ARTICLE 29 DATA PROTECTION WORKING PARTY
Guidelines on transparency
News (2)
European Commission sued for violating transfer rules by using Amazon Web Services
The European Commission faces a lawsuit over allegations it is violating its own data protection rules by transferring citizens’ personal data on one of its websites to Amazon Web Services in the United States.
European Commission sued for violating EU’s data protection rules
The European Commission is to face a lawsuit over allegations it is violating its own data protection rules when transferring citizens' personal data from one of its websites to the United States.