What is the Right of Access?

Defined in Article 15, Right of Access is one of the data subject rights covered in Chapter 3 of the General Data Protection Regulation (GDPR).

Right of Access Summary

  • Organizations are required to provide data subjects a copy of their processed personal data upon request
  • Commonly referred to as subject access
  • Authorization, erasure, a guarantee of completeness and accuracy of content and extent of processing are examples of the reach and applicability of the Right of Access
  • Data subjects can request subject access to an organization either verbally or in writing
  • Organizations need to respond to subject access requests without undue delay and within one month upon receiving the request; exemptions involving complex or numerous requests from an individual data subject may extend response time by an additional two months
  • Delivery of information must be concise, intelligible, and in an easily accessible form, using clear and plain language

Business Considerations for Organizations to Understand

What are the steps for you to answer right of access requests?

The initial step in answering subject access requests is to verify whether the organization is in possession of any personal data pertaining to the data subject. Verification is often done using data discovery tools, especially for organizations processing large amounts of data. Once verified, the organization can begin collecting the information required to satisfy the subject access request, often with the assistance of software tools for processing data subject requests to ensure the accuracy of information gathered. Lastly, the organization needs to deliver the information to the data subject in a concise, intelligible, and easily accessible form, using clear and plain language.

What information is required for you to respond to a data subject access request?

The right to access entitles data subjects to the following information from an organization (from the organization’s data controller):

  • Confirmation that the organization is processing their personal data
  • A complete and clear copy of the personal data collected
  • Additional supplementary information corresponding to information disclosed in any privacy notice(s) of the organization

What are some examples of supplementary information?

Organizations should have already disclosed any supplementary information required as part of a subject access request within an organization’s privacy notice. Below are examples of the supplementary information associated with the right of access requests:

  • Organization’s purpose for processing personal data
  • Categories of personal data concerned
  • Recipients or categories of recipients an organization discloses personal data to
  • Retention period for storing personal data, if applicable, or criteria for determining how long the organization will store the personal data
  • Existence of data subject’s right to request rectification, erasure, restriction or objection to processing
  • Data subject’s right to lodge a complaint with a local supervisory authority
  • Information about the source of data if it was not obtained directly from the data subject
  • Existence of automated decision-making, including profiling
  • If applicable, safeguards the organization provides for transferring personal data to a third country or international organization