Right of Access in GDPR

April 24, 2018
European Union


The European Union (hereinafter referred to as “EU”) will be implementing the General Personal Data Protection (hereinafter referred to as “GDPR”) with effect from May 25, 2018. GDPR seeks to protect personal data of EU residents and is applicable on companies collecting, storing and processing the personal data of EU residents.

The present article talks about the provision of right of access by the data subject.

Meaning- Right of Access by Data Subject

The provision of right of access means that controllers[1] are required to provide data subjects, i.e., natural persons whose personal information is being collected, a copy of their processed personal data upon request. The information is to be provided in writing, or by other means, where appropriate, by electronic means. Further, the information, when requested by the data subjects may be provided orally, provided that the identity of the data subject is proven by other means[2].

Information that can be accessed by data subjects

Firstly, data subjects have the right to obtain confirmation from the controller as to whether or not their personal data are being processed. If the controller confirms that their personal data is being collected, then the data subjects have the right to access the personal data and the following information[3] :

  1. the purposes of the processing;
  2. the categories of personal data concerned;
  3. the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular, recipients in third countries or international organizations;
  4. where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
  5. the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
  6. where the personal data are not collected from the data subject, any available information as to their source.

Further, it is to be noted that where personal data are transferred to a third country, i.e., countries outside the European Union or to an international organization, the data subject shall have the right to be informed of the appropriate safeguards relating to the transfer[4].

Manner of providing information to data subjects

  • The Controller shall, at no cost, provide a copy of the personal data undergoing processing.
  • If further copies are requested by the data subject the controller may charge a reasonable fee based on administrative costs.
  • The information shall be provided by the controller to the data subject in a commonly used electronic form, if the request is made by data subject through electronic means and unless otherwise requested by the data subject.

Time Period for providing information to data subjects

The controller has to provide the information requested by the data subject without undue delay, and in any event within 1 month of receipt of the request, subject to extension by 2 more months where necessary, taking into account the complexity and number of the requests. The controller is under obligation to inform the data subject of any such extension within 1 month of receipt of the request, together with the reasons for the delay.

For more information please write to us at :info@ssrana.com  

[1] controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data
[2] Article 12 of GDPR
[3]Article 15 (1) of GDPR
[4]Article 12 (2) of GDPR

For more information please contact us at : info@ssrana.com