The right of access plays a central role in the General Data Protection Regulation. On the one hand, as soon as the right of access becomes possible, further rights (such as authorisation and erasure) must apply. On the other hand, information that is omitted or incomplete is subject to fine.
The answer to a request for information includes two stages. First, the responsible person must check whether any personal data of the person seeking information is being processed at all. In this case, one must report a positive or negative result. Should the answer be positive, the second stage includes a bandwidth of information. The right of access includes information about the processing purposes, the processing category of personal data, the receiver or categories of receivers, the planned duration of storage or criteria for their definition, information about the rights of those impacted such as correction, erasure or restrictions to processing, the right to object to this processing, instructions on the complaint rights to the authorities, information about the origin of the data, as long as these were not given by the person himself, and any existence of an automated decision-taking process, including profiling with meaningful information about the logic involved as well as the implications and intended effects of such procedures. Last but not least, if the personal data is transmitted to an unsecure third country, they must be informed of all suitable guarantees which were made.
Information can be transmitted to the impacted person as per Art. 12 para. 1 sentences 2 and 3 of the GDPR depending upon the facts in writing, electronically or verbally. According to the Art. 12(3) Information must be communicated quickly but at latest within one month. Only in justified exceptional cases may this one-month deadline be exceeded. The information is, as a rule, given without payment. If, in addition, further copies are requested, one can request a reasonable payment which reflects administrative costs. In addition, the responsible party can also refuse granting information to an affected person in the case of unjustified or excessive requests. Responsible parties additionally have the right, if there is a large volume of information about the impacted person being processed, that they share their right of access regarding processing or information.
Art. 15 GDPR Right of access by the data subject
The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
the purposes of the processing;
the categories of personal data concerned;
the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
the right to lodge a complaint with a supervisory authority;
where the personal data are not collected from the data subject, any available information as to their source;
the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.
1The controller shall provide a copy of the personal data undergoing processing. 2For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. 3Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.
The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others.