Article 15 of the GDPR
Right of Access to Personal Data under the GDPR
Right of access to personal data under the GDPR means that a data subject has the right to access their personal data processed by a company. Article 15 of the GDPR governs this right. The right of access to personal data is one of the eight (8) fundamental rights that data subjects have under the GDPR.
Copy of the data subject’s personal data processed by the company
A data subject can contact a company to find out what personal data about him or her the company processes. In such cases, the company shall give the data subject access to the information. Among other things, by providing a copy of the personal data in question.
However, the company is not required to disclose the documents containing the personal data in question. It is often sufficient to provide a summary of all personal data contained in the document. In such cases, it is important that the company creates a summary that is comprehensible to the data subject. The company should design the summary in a way that enables the data subject to verify the lawfulness and accuracy of the personal data.
Provide a copy of the personal data electronically
Please note that the company must provide the summary or copy of the personal data electronically, if the data subject has made the request electronically. This applies provided that the data subject does not request access in another format. If transmitted electronically, it shall be done in a commonly used machine-readable format.
In addition to a copy of the processed personal data, the company must also provide certain information about the processing.
Information to provide to data subjects if they request their right of access to personal data
- Purpose of the processing;
- Categories of personal data that the company processes;
- If the company transfers the personal data to another party or a third country (country outside the EU/EEA). Including information on who the recipients are;
- Organisational and technical security measures taken by the company if they transfer personal data to a third country;
- Time frame for the processing;
- That the data subject has the right to have personal data rectified or erased;
- That the data subject has the right to lodge a complaint with the national supervisory authority if they believe that the company is in breach of the GDPR;
- How the company has collected the personal data if it was not provided by the data subject;
- If the company uses automated decision-making;
- The consequences that the processing may have for the data subject;
- Timeframe for companies to respond to a request from a data subject.
Companies that receive a request for access from a data subject shall handle the case without undue delay. According to the general rule, the company must handle the case within one month at the latest. However, it is possible in some cases to extend the deadline. In this case, the company may extend the time limit by a maximum of two additional months. However, the company must be able to justify the extension and inform the data subject accordingly within the first month.
However, very few situations can justify an extension. The recommendation is therefore always to try to adhere to the main rule. That is, to handle the case within one month of receiving the request.
Refusal of a request from a data subject
In certain exceptional cases, a company may refuse a request for access to personal data from data subjects. Article 12(5) and Article 15(4) of the GDPR govern this. If the company decides to refuse the request from the data subject, the company must justify the decision and inform the data subject. This shall be done within one month of the receipt of the request by the company.
Examples of when a company may refuse to grant this right to the data subject
Poses a risk
If the disclosure of the personal data may pose a risk to the other rights and freedoms of the data subject; Or if it may pose a risk or disadvantage to other data subjects.
Recurring
Where a data subject requests access to the same data on a regular basis for a short period; The same applies if it is manifestly unjustified. Or if the request is unreasonable and unfounded. Please note that the company must be able to prove this.
Protecting national interests
If the personal data processed by the company may pose a risk to the national interest if a data subject gains access to them.
Cost for data subjects to exercise their right under GDPR
The main rule is that it should be free of charge for data subjects to have their right of access to personal data fulfilled. However, there are exceptions. For example, the company may be allowed to charge a fee if the data subject requests multiple copies of the same data. Please note that the fee must be reasonable to cover the administrative costs. In other words, the fee can not be too high.
Verification of identity
It may be necessary for the company to first prove the identity of the data subject requesting access to personal data. If the company discloses the personal data to the wrong person, it is a personal data breach. This is something every company should try to prevent. Proof of the identity of a data subject does not necessarily mean that the company always has the right to request a copy of an ID document. It may even be prohibited. Instead, the company should consider asking other types of control questions.
Other data subjects' rights under the GDPR
Right to rectification
The company must ensure that the personal data they process is accurate and complete. However, there may be incorrect or incomplete personal data. If the company notices that the personal data is wrong, they should correct it. In addition, data subjects have the right to contact the company if they believe that the personal data is incorrect or incomplete. According to the right of rectification in the GDPR, a data subject has the right to request rectification or completion of his or her personal data. Please note that the company shall inform the data subject after they have corrected the personal data.