GDPRRight of Access

The right of access plays a central role in the General Data Protection Regulation. On the one hand, as soon as the right of access becomes possible, further rights (such as authorisation and erasure) must apply. On the other hand, information that is omitted or incomplete is subject to fine.

The answer to a request for information includes two stages. First, the responsible person must check whether any personal data of the person seeking information is being processed at all. In this case, one must report a positive or negative result. Should the answer be positive, the second stage includes a bandwidth of information. The right of access includes information about the processing purposes, the processing category of personal data, the receiver or categories of receivers, the planned duration of storage or criteria for their definition, information about the rights of those impacted such as correction, erasure or restrictions to processing, the right to object to this processing, instructions on the complaint rights to the authorities, information about the origin of the data, as long as these were not given by the person himself, and any existence of an automated decision-taking process, including profiling with meaningful information about the logic involved as well as the implications and intended effects of such procedures. Last but not least, if the personal data is transmitted to an unsecure third country, they must be informed of all suitable guarantees which were made.

Information can be transmitted to the impacted person as per Art. 12 para. 1 sentences 2 and 3 of the GDPR depending upon the facts in writing, electronically or verbally. According to the Art. 12(3) Information must be communicated quickly but at latest within one month. Only in justified exceptional cases may this one-month deadline be exceeded. The information is, as a rule, given without payment. If, in addition, further copies are requested, one can request a reasonable payment which reflects administrative costs. In addition, the responsible party can also refuse granting information to an affected person in the case of unjustified or excessive requests. Responsible parties additionally have the right, if there is a large volume of information about the impacted person being processed, that they share their right of access regarding processing or information.