GDPR Right of Access

The right of access plays a central role in the General Data Protection Regulation (GDPR). On the one hand, because only the right of access allows the data subject to exercise further rights (such as rectification and erasure). On the other hand, because an omitted or incomplete disclosure is subject to fines.

The answer to a right of access request includes two stages. First, the controller must check whether any personal data of the person seeking information is being processed at all. In any case, one must report a positive or negative result. If the answer should be positive, the second stage involves a whole range of information. The right of access includes information about the processing purposes, the categories of personal data processed, the recipients or categories of recipients, the planned duration of storage or criteria for their definition, information about the rights of the data subject such as rectification, erasure or restriction of processing, the right to object, instructions on the right to lodge a complaint with the authorities, information about the origin of the data, as long as these were not collected from the data subject himself, and any existence of an automated decision-taking process, including profiling, with meaningful information about the logic involved as well as the implications and intended effects of such procedures. Last but not least, if personal data is transmitted to a third country without an adequate level of protection, data subjects must be informed of all appropriate safeguards which have been taken.

Information can be provided to the data subject in writing, electronically or verbally as per Art. 12(1) sentences 2 and 3 of the GDPR, depending on the circumstance. According to Art. 12(3) GDPR information must be provided without undue delay but at latest within one month. Only in reasoned cases may this one-month deadline be exceptionally exceeded. As a rule, the information has to be provided free of charge. If, in addition, further copies are requested, one can request a reasonable payment which reflects administrative costs. The controller is also allowed to refuse a data subject’s requests to right of access if it is unjustified or excessive. The controller additionally has the right, if he is processing a large volume of information about the data subject, that he or she specify their request within the right of access regarding specific data processing or kind of information.