According to Article 15 GDPR and in compliance with Article 8.2 of the Charter of Fundamental Rights of the European Union, each data subject has the right to obtain from the controller confirmations as to whether or not personal data concerning him or her are being processed, and where that is the case, access to the personal data and tothe following information:
- The purpose of the processing;
- The categories of personal data concerned;
- The recipients or categories of recipient to whom the personal data have been or will be disclosed;
- The data retention period. If establishing such period is not feasible, the criteria used to determine it must be laid down;
- All the data subject’s rights, including the right to lodge a complaint with a supervisory authority;
- The origin of personal data, if they are not collected from the data subject directly;
- The existence of automated decision-making; namely, decisions taken using personal data processed solely by automatic means without human intervention.
- The existence of all the safeguards taken to eventually transfer personal data outside the EU.
Upon the data subjects’ request, the data controller must provide them with a copy of the personal data being processed, without charge. For any additional copies requested by the data subjects, Article 15.3 GDPR allows the controller to potentially charge a reasonable fee based on administrative costs. In this scenario, the controller should get in contact with the data subjects promptly, in order to make them aware of the cost.
The data subjects are just entitled to their personal data, unless the latter information is intertwined with the ones from other individuals. If the personal data includes information about other people, the following disclosure will depend on the balancing between the data subjects’ right of access and the third party’s fundamental rights pursuant to Article 15.4 GDPR.For example, any duty of professional secrecy, the nature of personal data, and so on should be taken into consideration when carry out research. In this scenario, the controller might conceal data that could adversely affect others, such as blackening selected information.
The GDPR does not prevent a personfrom potentially acting on behalf of the data subjects, while proving it, for example, through a power of attorney. In case of any doubt, the controller can ask the data subjects to identify themselves. As already said, though, such process should be proportionate. Furthermore, the data controller can ask the data subjects to specify their request, by offering further details that will contribute to identifying the requested information. Nevertheless, the controller’s request for further clarification does not affect the one-month term.
The GDPR does not establish a procedure to exercise the right of access. Accordingly, the controller could provide a specific form that the data subjects could easily fill in and submit. The establishment of any procedure, however, does not allow the controller to refrain from accepting requests that have been submitted through other means.
Likewise, the GDPR says nothing about how the controller should provide the information to the data subjects.Generally, the provision of any information should be done in a commonly used electronic format (e.g. e-mail where a PDF fill is attached), if the request was made electronically and the data subjects did not request otherwise.Yet, Recital 63 GDPR suggests the controller to provide the data subjects with a remote access to a self-secure system, so that theyare able to accedeto their personal data directly; for example, accessing the controller’s database through a VPN.
Checklist for complying with an access request:
Is the exercise of the right of access compliant with the GDPR?
☐ Did you receive an access request from a legal entity?If yes, please indicate that the request was not lodged by an individual and deny the request;
☐ Have the data subjects correctly identified themselves? If not, please ask for further information to confirm the identity;
☐ Can the request be fulfilled within one month? If not, please inform why and how long it will it take to process the request (without exceeding the time limits provided in the GDPR, see Section 6);
☐ The request needs to be fulfilled.
How to further comply with all the GDPR obligations:
☐ Provide all the information listed in Article 15.1-2 GDPR;
☐ If the information intertwines with the one from other individuals, please carry out a balancing testas to whether the disclosure to the individual that has filed the request does not affect the personal data of the other individual;
☐ Provide the data subject with a copy of the personal data being processed. For any additional copies requested by the data subject, the controller can charge a reasonable fee.
☐ Provide a specific form that the data subject could easily fill in and submit;
☐ Provide all the information in a commonly used electronic format, unless the data subject requests otherwise.
1P. Voigt & A. von demBussche, The EU General Data Protection Regulation (GDPR). A Practical Guide, Cham: Springer, 2017, p. 153 ↑
2Information Commissioner’s Office, Guide to the General Data Protection Regulation (GDPR), 2019, p. 108, available at: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/ [last access: 30.10.2020] ↑