GDPR Right of Access Under Article 15
Article 15 of the GDPR provides data subjects the right to obtain information on the processing of their personal data by controllers, including confirming that data has been processed as well as the purposes of processing, the categories of personal data concerned, the recipients or categories of recipients to whom the personal data has or will be disclosed including international organizations or recipients in third countries, the period for which data will be stored, and the existence of the right to request rectification, erasure or restriction of processing.
An effective DSAR program is an important tool to maintain customer satisfaction as well as avoid compliance problems. By tracking when and where customers provide data, the business can avoid criticisms concerning unauthorized data usage and provide this information to authorities if regulatory issues are raised.
The right of access in GDPR Article 15 provides a data subject the ability to learn whether his or her personal data is being processed by the controller, whether or not the information was collected from the data subject. The information provided is covered by the Article 12 transparency requirement, so any communication to the data subject related to processing must use clear and plain language, be intelligible and in an easily accessible form.
If a data subject requests information about the organization’s processing of their personal data under Article 15, the controller must disclose the purpose of the processing and the categories of personal data concerned. The individual has a right to a copy of the personal data being processed (discussed further below) and additional information specifically enumerated in Article 15. This additional information includes:
Period of Retention
If the personal data will be stored for a contemplated period, then that period must be disclosed to the data subject requesting access. If it is not possible to identify the particular period, then the criteria that will be used to determine the period of data retention must be indicated.
Recipients of Personal Data
The recipients or categories of recipients of the data subject’s personal data must be disclosed. It is worth remembering that data sharing with processors is covered by Article 28, which requires a contract and sufficient guarantees that the processing will meet the GDPR’s requirements and the rights of the data subject will be protected.
Personal Data from Other Sources
The right to access information is not limited to data collected from the data subject. If the data was collected from other sources, then “any available information” must be provided as to the source of the information.
Right to Rectification or Erasure
The rights of rectification, erasure and restriction of processing must be disclosed as part of the information provided to the data subject exercising their Article 15 rights. The GDPR does not specify the extent of the necessary disclosures of these rights, but does specify that the existence of the right to request them needs to be disclosed and this requirement would be subject to the transparency obligations of Article 12.
Right to Complain
The ability of an individual to file a complaint with a data supervisory authority must be disclosed along with the other information required.
If an organization is engaged in profiling or other forms of automated decision-making using the individual’s personal data pursuant to GDPR Article 22(1), then the controller must disclose meaningful information about the logic involved. The controller must also disclose the significance and potential consequence of the processing for the data subject.
Transfers of Personal Data to Third Countries or International Organizations
If the personal information of a data subject has been transferred to another country or to an international organization, then the individual has the right to know the safeguards under GDPR Article 46 that justified the transfer by the controller.
Copies of the Personal Data
If a controller is processing personal data, then the person has a right to obtain a copy of the data. However, the right to a copy of the data may not adversely affect the rights and freedoms of others. In other words, there is no right to a copy of the personal data of third-parties.
Controllers are obligated to provide a copy of the personal data the first time. If the request is made electronically and no specific format of delivery is requested, then the information can be provided in a commonly used electronic form chosen by the organization. Additional requests for copies may be subject to a reasonable fee based on the organization’s administrative costs.
Other Data Subject Access Rights
Data Subject Access Requests
Consider the Clarip DSAR Portal. To schedule a demo, call 1-888-252-5653.
California’s New Privacy Law: Get your business ready for the California Consumer Privacy Act of 2018 with Clarip.