Right of access
The right of access to personal data is enshrined in article 8(2) of the Charter of Fundamental Rights of the European Union and has been further developed by more specific and precise rules in article 15 of the GDPR.
By virtue of this right, data subjects become aware of and verify the lawfulness of the processing and accuracy of their personal data. This will enable them to exercise other data protection rights, namely the right to erasure or rectification.
What is the right of access?
It is a right that allows individuals to:
- confirm whether personal data about them is being processed or not;
- access information about the processing (e.g. purpose, categories of data and recipients, duration of processing, data subjects’ rights, appropriate safeguards in case of third country transfers);
- obtain a copy of their personal data undergoing processing, free of charge.
Data subjects do not need to justify or give any reasons for exercising the right of access with a controller.
The right of access to personal data is not the same as the right to access documents held by public authorities, as the latter has the objective of promoting transparency and accountability in public authorities.
Data Controller and Subject Access Request (SAR)
When a controller receives a SAR, the controller should consider the following:
- Does the request concern the personal data of the individual making the request?
- Does the request fall within the scope of Article 15 of the GDPR, or another sector specific regulation?
- Does the request refer to all or parts of the data processed about the individual?
The controller may request additional information to confirm the identity of the data subject insofar as the information requested is proportionate to the type of data processed.
When providing for a SAR, the controller should:
- Treat the request as referring to all the personal data processed in relation to the data subject, unless explicitly stated otherwise. If there is too much data, the controller may ask the data subject to narrow down the request and specify which of their personal data they are interested in having access to.
- Search for the personal data throughout all IT systems and non-IT filing systems.
- Communicate the personal data to the data subject in a manner that is concise, transparent, intelligible and in an easily accessible form, using clear and plain language. If the data is ‘raw’ or consists of codes, the controller should explain the data to the data subject in a way that it makes sense.
The controller should provide an answer to the data subject within one (1) month of receipt of the request. This timeframe may be extended by two (2) further months where necessary, taking into account the complexity and number of the requests.
The controller should always inform the data subject within the first month and include the reasons for the extension.