GDPR – What personal data and information can an individual access on request?

Compliance > GDPR
Q:  What personal data and information can an individual access on request? 
 
A:   When someone requests access to their personal data, your company/organisation must:
  • confirm whether or not it is processing personal data concerning them;
  • provide a copy of the personal data it holds about them;
  • provide information about the processing (such as purposes, categories of personal data, recipients, etc.)
Your company/organisation must provide the individual with a copy of their personal data free of charge.  However, a reasonable fee can be charged for further copies.
 
The exercise of the right of access is closely linked to the exercise of the right to data portability – to allow the individual to transmit their data to another organization.
 
It is important that, in your company/organisation's Privacy Notice, there is a clear distinction between the two rights.  Therefore, both rights need to be briefly mentioned separately.
 
Example
 
Your company/organisation provides an online social networking service whereby individuals can exchange messages and pictures. A user requests to access their personal data and to verify what personal data which concerns them is processed by your company/organisation. Your company/organisation must confirm that it is processing personal data which concerns them and provide a copy (such as  name, contact details, messages and pictures exchanged). Your company/organisation must also provide them with information about the processing – usually that would be in the privacy notice of your service.
 
References
  • Article 15 and Recitals (63) and (64) of the GDPR
 
 
ADDITIONAL INFORMATION:
The above FAQ was included on the European Commission’s website, which can be located here:   
 
 

Add Feedback