Your Rights as a Data Subject Under the GDPR: “The Right of Access”

Published: 07 Jul 2023

As a data subject whose personal data is processed, you invariably have the right to access. However, this right of access is not absolute. We clarify what this means, how you exercise this right and what response should be given.

First of all, the terminology used is somewhat misleading, as it creates the impression that you can actually inspect the processing itself, when the reality is more nuanced. Rather, it concerns a right to know about the processing of your personal data. You can exercise this right at any time, regardless of whether you were informed about the processing of your personal data at the start of the processing.

Article 15 GDPR clarifies what information you are entitled to, beyond the actual personal data itself, when exercising your right to access:

- the purposes of processing;

- the categories of personal data concerned;

- the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;

- the period for which the personal data are expected to be stored or, if that is not possible, the criteria for determining that period;

- the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;

- the right to lodge a complaint with a supervisory authority;

- where the personal data are not collected from the data subject, any available information as to their source;

- the existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject;

- when transfers are made to a third country or international organisation, the appropriate safeguards taken.

In principle, you are entitled to one free copy; for additional copies, the controller may charge a reasonable fee in proportion to the administrative costs.

If you make your request for access in electronic form (e.g. by e-mail), it is sufficient for the controller to send you the copy in electronic form as well, unless you explicitly request otherwise.

However, your right to access is not absolute. Article 15.4 GDPR clarifies that this must not infringe on the rights and freedoms of others.

For example, if you exercise your right of access vis-à-vis your (former) employer, the latter has the right and actually even the duty to anonymise/censor the evaluation forms as the personal data of others (e.g. the evaluator, colleagues) must also be protected under the GDPR. In this view, the controller also has the right to request a clarification of your request. After all, if you are already employed for a long period of time, it may be disproportionate and impose an excessive burden to have to anonymise/censor and copy all data over the entire period in order to comply with your request. A concrete assessment must always be made in this regard.[1]

In the recent ECJ judgment of 4 May 2023, the Court clarified that the right of access can extend very broadly in the sense that copies of the underlying documents or extracts must be provided. However, never should one lose sight of the rights and freedoms of others in doing so:

“the right to obtain from the controller a copy of the personal data undergoing processing means that the data subject must be given a faithful and intelligible reproduction of all those data. That right entails the right to obtain copies of extracts from documents or even entire documents or extracts from databases which contain, inter alia, those data, if the provision of such a copy is essential in order to enable the data subject to exercise effectively the rights conferred on him or her by that regulation, bearing in mind that account must be taken, in that regard, of the rights and freedoms of others.”[2]

Your request in itself is not subject to any formal conditions. However, with a view to dealing with it efficiently, you are well advised to already clearly identify yourself since every controller obviously has a duty to proceed with identification before providing any information.

Subsequently, the Controller has in principle one month to comply with your request. Within this period, he must either provide the data or inform you of the reason why he believes he should/could not do so and inform you of your right to lodge a complaint with the supervisory authority (GBA) and the possibility of a subsequent appeal to the court (Market Court). The period can be extended by an additional two months if the controller notifies you of this before the expiration of the original period.

If you have any further questions about (the exercise of) your right of access, you can always contact us by e-mail: gpdr@studio-legale.be or by telephone on 03/216.70.70.

https://studio-legale.com/the-right-of-access/?lang=en

[1] For example: Beslissing ten gronde 15/2021 van 9 februari 2021 van de geschillenkamer van de GBA

[2] HvJ 4 mei 2023, C-487/21, nr. 45.

Share this

About Us

Since 2005 Corporate INTL has been leading the way connecting business leaders, financiers and advisers around the world.

Our business publications reach hundreds of thousands of business leaders and decision makers in the finance and advisory communities worldwide.

Our Directory

Our Find an Expert adviser directory is the number one tool for business leaders, investors and in-house counsel to assist them in finding a proven and recommended adviser in a huge variety of practice area specialisms and countries around the world.

Mailing List

If you wish to join the Corporate INTL mailing list to receive newsletters and bulletins surrounding our products, key news, events and relevant stories related to global business, please click the link below and fill out the form provided.