Your Right of Access

As a data subject you have the right to ask for information from an organisation about whether or not it holds any personal data which concerns you. If the organisation does hold personal data concerning you then you have the right to access that data, be provided with a copy of the data and receive relevant additional information.

Why they have your personal data, what their lawful basis is for processing your personal data, who they’re sharing your data with, how long they plan to keep your personal data for and whether there is any automated decision-making or profiling happening. You have to be told all of this and more.

This right is in Article 15 of the GDPR. The full text of this article which lists the information you must be provided with is at the bottom of this page.

In almost all circumstances the information should be provided to you free of charge and within thirty days of you making the request. If the organisation or business does not provide you with a copy of your personal data then it must provide you with an explanation of why it cannot or will not do so.

Refusing you access to personal data concerning and relating to you is abnormal, out of the ordinary and shouldn’t happen without an extremely good reason. The default position for all data controllers must be to give you access to your personal data. If not, you can complain to the Data Protection Commission.

You don’t have to have a reason to exercise your right of access. Nor should the data controller ask for one. This is a fundamental right.

The right of access is not absolute. If your request impacts on the rights and freedoms of others then you might only receive a partial copy of your information. However, if this is the case then the organisation must provide an explanation of why some of your personal data is being withheld.

Enforcement in action: In September 2019 the Berlin data protection authority fined a food delivery company €195,000 for failure to respond to subject access requests, failure to delete personal data and retaining personal data for an excessive amount of time, among other things.

Where next?

We’ve some history and more about the right of access over at ‘The history and importance of the right of access’.

If you’re making a Subject Access Request then you might find  ‘The Subject Access Request process: how it should work’ useful.

Read more elsewhere

‘How can I access my personal data held by a company / organisation?’, European Commission. This short piece from the European Commission stresses that using the right of access should be easy.

‘The Right of Access’, Data Protection Commission of Ireland

‘Data Subject Access Requests FAQ’, Data Protection Commission of Ireland

📹 Fred Logue discusses Subject Access Requests (YouTube link)


1. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:

(a) the purposes of the processing;

(b) the categories of personal data concerned;

(c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;

(d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;

(e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;

(f) the right to lodge a complaint with a supervisory authority;

(g) where the personal data are not collected from the data subject, any available information as to their source;

(h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

2. Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.

3. The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.

4. The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others.

Topics

Data Protection Fundamentals (basics, definitions and more …)
Your Rights (all your data protection rights: access, information, rectification and more …)
In More Detail (explorations and explanations of data protection concepts …)
Keeping Track (tracking Subject Access Requests and complaints to Supervisory Authorities …)