As a data subject whose personal data is processed, you invariably have the right to access. However, this right of access is not absolute. We clarify what this means, how you exercise this right and what response should be given.
First of all, the terminology used is somewhat misleading as it creates the impression that you can actually inspect the processing itself, when the reality is more nuanced. Rather, it concerns a right to know about the processing of your personal data. You can exercise this right at any time, regardless of whether you were informed about the processing of your personal data at the start of the processing.
Article 15 GDPR clarifies what information you are entitled to, beyond the actual personal data itself, when exercising your right to access:
- the purposes of processing;
- the categories of personal data concerned;
- the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
- the period for which the personal data are expected to be stored or, if that is not possible, the criteria for determining that period;
- the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
- the right to lodge a complaint with a supervisory authority;
- where the personal data are not collected from the data subject, any available information as to their source;
- the existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject;
- when transfers are made to a third country or international organisation, the appropriate safeguards taken.
In principle, you are entitled to one free copy; for additional copies, the controller may charge a reasonable fee in proportion to the administrative costs.
If you make your request for access in electronic form (e.g. by e-mail), it is sufficient for the controller to send you the copy in electronic form as well, unless you explicitly request otherwise.
However, your right to access is not absolute. Article 15.4 GDPR clarifies that this must not infringe on the rights and freedoms of others.
For example, if you exercise your right of access vis-à-vis your (former) employer, the latter has the right and actually even the duty to anonymise/censor the evaluation forms as the personal data of others (e.g. the evaluator, colleagues) must also be protected under the GDPR. In this view, the controller also has the right to request a clarification of your request. After all, if you are already employed for a long period of time, it may be disproportionate and impose an excessive burden to have to anonymise/censor and copy all data over the entire period in order to comply with your request. A concrete assessment must always be made in this regard.
In the recent ECJ judgment of 4 May 2023, the Court clarified that the right of access can extend very broadly in the sense that copies of the underlying documents or extracts must be provided. However, never should one lose sight of the rights and freedoms of others in doing so:
“the right to obtain from the controller a copy of the personal data undergoing processing means that the data subject must be given a faithful and intelligible reproduction of all those data. That right entails the right to obtain copies of extracts from documents or even entire documents or extracts from databases which contain, inter alia, those data, if the provision of such a copy is essential in order to enable the data subject to exercise effectively the rights conferred on him or her by that regulation, bearing in mind that account must be taken, in that regard, of the rights and freedoms of others.”
Your request in itself is not subject to any formal conditions. However, with a view to dealing with it efficiently, you are well advised to already clearly identify yourself since every controller obviously has a duty to proceed with identification before providing any information.
Subsequently, the Controller has in principle one month to comply with your request. Within this period, he must either provide the data or inform you of the reason why he believes he should/could not do so and inform you of your right to lodge a complaint with the supervisory authority (GBA) and the possibility of a subsequent appeal to the court (Market Court). The period can be extended by an additional two months if the controller notifies you of this before the expiration of the original period.
If you have any further questions about (the exercise of) your right of access, you can always contact us by e-mail: firstname.lastname@example.org or by telephone on 03/216.70.70.