Right of access
Home » IoT » Data subjects rights » Right of access

Article 15 provides that data subjects have the right to obtain from the controller confirmation as to whether or not personal data concerning them are being processed, and where that is the case, access to the personal data together with some additional information which is usually provided in the privacy policy (see section “right of access” in the “Data subject rights” in Part II of these Guidelines). Additionally, upon the data subjects’ request, the data controller must provide them with a copy of the personal data being processed, without charge (reasonable fees to cover administrative costs could be charged for any further copies requested by the data subject). In the case of IoT, this might be done through a web portal or an app, since these systems usually send data to the device manufacturer, who often keeps them in specific systems. On the one hand, it allows IoT to provide online services that leverage the device capabilities, but, on the other hand, it may also prevent users from freely choosing the service that interacts with their device.

Furthermore, and as the Article 29 Working Party stated, “end-users are rarely in a position to have access to the raw data that are registered by IoT devices. Clearly, they hold an immediate interest in the interpreted data than in the raw data that may not make sense to them. Yet, access to such data can prove useful for the end-users to understand what the device manufacturer can infer from it about them”. [1]

It is considered that the right to access cover both raw data and observed data about the user. However, under current developments, it does not seem to cover inferred data. This can cause detriment to users, as there is little options for them to gather insights of the most sensible data the system is processing about them.

Furthermore, the right to access is currently closely related to the right to data portability (see the “right to data portability” below, within this part on IoT).

1Art 29 Data Protection Working Party Opinion 8/2014 on the on Recent Developments on the Internet of Things (SEP 16, 2014) https://www.dataprotection.ro/servlet/ViewDocument?id=1088

Skip to content