The right of access introduced in Article 15 of the GDPR, allow individuals (data subjects) to attain information from the organization (data controller), about whether their personal data is being processed and if so:
✅ what is the purpose of the processing
✅ what are the categories of processed personal data (including recipients or categories of recipients in third countries or international organizations)
✅ who are the recipients to whom the personal data have been or will be disclosed,
✅ for what period of time will data be stored (retention period)
The data subject has a right to:
✅ Obtain a copy of their personal information that the organization has on the data subject
✅ File a complaint
✅ Right to erasure
✅ The right to ask for restriction of the processing of his or her personal data
✅ Right to request rectification
✅ Affirmation that the organization is processing individuals’ personal data
✅ Right to know the source of collected data
✅ The existence of automated decision-making and information about the consequences and effects of the processing for the data subject
✅ Have information about safeguards for data transfer to third countries
This set of rights is envisaged so the individual can have a better understanding of the usage of his/her data and check the lawfulness of your data processing.
What are you obligated to provide as an organization
In all cases try to respond to the request as soon as possible, but make sure it is done within one month from the day you received the request. If you are in the process of identification of the data subject (for instance, you have asked for a data subject to provide identification), then you are obligated to respond to a request within one month from the day you confirmed the data subjects identity.
Who has a right to attain information?
The Data Subject is entitled to access only their own personal data. Before responding to the data subject’s request, you have to determine if the information is personal data and if the person asking for access is the person that data is referring to.
If you are providing information that relates to one or more other individuals, you can apply the exemption and deny the access, if it would result in disclosure of information about another data subject.
You have to respond to the request if all individuals gave their consent to disclose the information, or you have decided it is appropriate to do so. This means taking into account the right of an individual and the persons involved and making a decision about disclosing data without third party consent.
If the data subject is a child or a minor, you have to assess if the child can understand their rights, if so, you can respond directly to a child or a minor. A parent or a guardian can exercise this right on behalf of a child if it is in the best interest of a child.
How should the request be submitted?
There are no specific guidelines or forms mentioned in the GDPR. The request can be made verbally or in writing, through any channel (including social media) and to any person inside your organization.
The request does not have to be titled so it mentions the GDPR or right of access, as long as it is clear what data subject is requesting.
This can be challenging since all requests pointed to your organization to any employee is considered valid, so employees should receive education and training to understand how to respond to a request.
Having a record of requests (especially verbal request) can help you keep track of legal deadlines and steps that were taken.