Your Right To Access Under GDPR

The GDPR framework sets out your right to access information about your personal data.

Personal data processing

As an all-encompassing legislative framework, the GDPR offers your personal data exceptional legal protection. In an era where protecting your personal data is now more important than ever before, the GDPR exists to protect your personal data from misuse and affords you the right to ensure that your data is being collected, processed, and stored in a secure, legally appropriate manner. 

GDPR right to access

Throughout the GDPR framework, creating and protecting your Right to Access remains a fundamental imperative – one that must be respected and upheld throughout every business’ operations. Failure to protect your personal data, which includes protecting rights such as your right to access, or disallowing you to invoke this right to access, could lead to large fines being levied against the company in question, or even jail time, when deemed appropriate. We’ve previously covered the ways you can invoke your right to access, but what does this right truly entail? Let’s consider the exact wording listed within the GDPR (and yes, we’ve copied and pasted it below for your ease of reference) in Article 15:

1. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
   1. the purposes of the processing;
   2. the categories of personal data concerned;
   3. the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
   4. where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
   5. the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
   6. the right to lodge a complaint with a supervisory authority;
   7. where the personal data are not collected from the data subject, any available information as to their source;
   8. the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
2. Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.
3. The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.
4. The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others.

Breaking it down

We’ve covered how you can invoke this right to access in a previous post, and much of what Article 15 of the GDPR outlines includes your rights to do just that. But, what do each of those rights that are part of your right to access entail? We’ve picked out each right here: The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information.

The right to obtain

As part of your right to access, you are imbued with the right to obtain your personal data, from whichever company you choose to share and process your personal data. That means that, no matter what, you have the right to get all the information you require, in terms of how, when, why, and what for, your personal data is being collected, processed, or used.

The right to know

And yes, part of your right to access is indeed the right to know. As part of the GDPR framework, you are granted the right to know all about the where, how, when, and why your personal data has been collected, processed, and used.

The right to understand

If your personal data has been passed on to another company, you have the right to understand why, how, and when. Moreover, if it’s been used by a company in a different country that is outside of the EEA, you have the right to understand the levels of safety and security that were used during this data transfer process. And yes, you do indeed have the right to understand why, how, and when that company has used your personal data too.

Your right to a copy

It’s not enough to simply be reminded of your rights, or even to be able to invoke them too. What your right to access also entails is your right to a copy of all the information related to your personal data. In terms of the GDPR framework, you should be empowered to receive a copy of this information for free, the first time around. Thereafter, companies may be allowed, in certain circumstances, to charge you a fee for providing you with this copy.

Your right to deletion

Depending on the basis under which your personal data is processed, if you’re not happy with the way a company gathers, uses, or shares your personal data, your rights over your personal data include your right to deletion. That’s correct: under the GDPR, you can request the absolute deletion of your personal data by a company, and they have to prove it’s been wholly deleted. Failure to do so opens the door for you to lay a complaint and could lead to a large fine being levied against the company.

For more information on how your right to access can be invoked under the GDPR, or to learn more on how data compliance protects your personal data, visit our Insights section. If you are a company that is concerned about data subject access or other rights requests and would like a review of your policies and procedures, we’d be happy to help you so drop us an email today at info@proprivacy.ie.

Written By Philipa Jane Farley

Philipa is the lead consultant and auditor at ProPrivacy.  With clients as far afield as Canada, South Africa, Kenya, Germany, Spain and other such exotic locations, besides Cork and elsewhere in Ireland, Philipa enjoys a broad view of the state of data protection, privacy and cyber security worldwide.  Philipa’s passion is manageable data compliance for SMEs.

Philipa is a qualified teacher besides holding a computer science (Bachelor of Science in Artificial Intelligence Programming) and electronic and intellectual property law (LLB) qualified. She is trained in constitutional (fundamental) rights litigation and enjoys a good debate.

Philipa has over twenty years of experience working in different sized organisations and sectors on operational, governance, risk management and compliance matters. She is an analytical and focused person that enjoys a challenge in the workplace. She loves technology, systems and people and has a passion for showing people how technology can make life easier and better. She understands that the world is driven by data today but privacy is paramount. Responsibly developed AI excites Philipa for the future.