Right to Access – art. 12,15
After data is collected, a data subject has the right to know how it has been collected, processed, and stored, what data exists, and for what purposes.
Summary:
- Individuals have the right to access their personal data.
- This is commonly referred to as subject access.
- Individuals can make a subject access request verbally or in writing.
- You have one month to respond to a request.
- You cannot charge a fee to deal with a request in most circumstances.
Individuals have the right to obtain the following from you:
- confirmation that you are processing their personal data;
- a copy of their personal data; and
- other supplementary information – this largely corresponds to the information that you should provide in a privacy notice.
In addition to a copy of their personal data, you also have to provide individuals with the following information:
- the purposes of your processing;
- the categories of personal data concerned;
- the recipients or categories of recipient you disclose the personal data to;
- your retention period for storing the personal data or, where this is not possible, your criteria for determining how long you will store it;
- the existence of their right to request rectification, erasure or restriction or to object to such processing;
- the right to lodge a complaint with the ICO or another supervisory authority;
- information about the source of the data, where it was not obtained directly from the individual;
- the existence of automated decision-making (including profiling); and
- the safeguards you provide if you transfer personal data to a third country or international organisation.
You may be providing much of this information already in your Privacy Notice.
Implement a process and the technical capabilities to:
- track all data relating to the requester in your systems,
- vet a right to access request, and
- provide that information to the requester.
