The history and importance of the Right of Access

As a data subject you have the right to ask for information from an organisation about whether or not it holds any personal data about you.It does not matter whether this information was obtained directly from you by the organisation, or by some other means. If the organisation does hold personal data concerning you then you have the right to access that data, be provided with a copy of the data and receive any relevant additional information about how your information is being used, how long it will be kept for, which third parties your information has been disclosed to and more.

This is not new

A Right of Access has been present in European data protection law for decades. The organisations who are processing your personal data should be well aware that they may receive and have to handle Subject Access Requests.
 
What is new in Ireland is the Data Protection Commission’s ability to impose sanctions on data controllers for not complying with data protection law. In the context of the Right of Access this means handling access requests in a satisfactory manner.

The Right of Access unlocks other rights

If you cannot check whether an organisation is processing your personal data, you cannot know whether the data they hold is accurate, what purpose they are processing it for and what lawful basis they are using.

The Right of Access is one of only two data subject rights specifically mentioned in the EU Charter of Fundamental Rights.

EU Charter of Fundamental Rights, Article 8

Everyone has the right to the protection of personal data concerning him or her.

Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned, or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. 

Compliance with these rules shall be subject to control by an independent authority.

Restrictions to the Right of Access must be the exception

If you cannot check whether an organisation is processing your personal data, you cannot know whether the data they hold is accurate, what purpose they are processing it for and what lawful basis they are using.

Therefore there are only a limited number of exemptions which data controllers can use to avoid complying with Subject Access Requests.

“The essence of a fundamental right means that interference with the right should not be such that the right is in effect emptied of its basic content and the individual cannot exercise the right.”

‘Limiting Data Subject Rights and the Application of Article 23 of the GDPR’ (PDF), Data Protection Commission of Ireland

Where next?

We’ve a short explanation of what data you’re entitled to access under the GDPR and the text of the relevant article in our piece on the Right of Access in our ‘Your Rights’ section.

If you want a more detailed look at how you should go about exercising your Right of Access we have a piece on that in this section: ‘The Subject Access Request process – how it should work’.

Read more elsewhere

‘How can I access my personal data held by a company / organisation?’, European Commission. This short piece from the European Commission stresses that using the right of access should be easy.

‘The Right of Access’, Data Protection Commission of Ireland

‘Data Subject Access Requests – FAQ’, Data Protection Commission of Ireland 

Topics

Data Protection Fundamentals (basics, definitions and more …)
Your Rights (all your data protection rights: access, information, rectification and more …)
In More Detail (explorations and explanations of data protection concepts …)
Keeping Track (tracking Subject Access Requests and complaints to Supervisory Authorities …)