The main purpose of the GDPR is to give back the power over their personal data to the individuals. As a result, the Regulation puts a great emphasis on data subjects’ rights. To name a few: the right to access and rectification, data portability, restriction of processing, erasure and the right to not be subject to a decision based only on automated processing. We begin today a series of blog posts dedicated to these rights, where we will take you through examples on how they should be applied and more. If for the time being, all you want is an overview of all these rights, you can read that on our page dedicated to EU citizens’ rights or you can check our ‘Rights‘ category in the knowledge base.
Right of access by the data subject
Chapter III of the GDPR deals with the rights of data subjects – Articles 13-15 contain provisions on the right of access to personal data. In Chapter IV, Article 16 we find information about the right to rectification.
The right of access is not new, but there are certain changes that the GDPR brings. For instance, the response time to such a request from the data subject is reduced from 40 days to one month. No fee should be requested to a data subject asking to exercise this right. However, if the requests are unfounded or the number of requests from one data subject is excessive, the controller can ask for a reasonable fee to respond to the request, or they can simply refuse the request.
Of course, the controller has to be able to provide proof of the excessive or unfounded request. Also in the case of a refusal, the controller has to give valid reason within one month of the request. If the answer to the request is positive, the controller should give the answer in a concise, transparent, intelligible and easily accessible form. All information should be provided in writing or by electronic means.
So, what exactly does a data subject have the right to access?
Article 15 gives an outline of the type of information controllers should provide. First of all – the purpose of the processing and the categories of personal data concerned. This information should also be provided when asking for consent, but if a data subject has doubts he might ask to access this information again. Also, data subjects have the right to know the recipients of their data, especially if it involves third countries or international organizations.
If possible, controllers should let data subjects know the envisaged period for which the data will be stored or the criteria used to determine the period. Of course, information about any automated decision making, including profiling should be provided. The data subject also has the right to obtain a copy of their data, unless it adversely affects the rights and freedoms of others. The copy has to be provided without any charge – a great shift towards transparency.
Still feeling confused about access, about when or why someone would request it? Take for example the case of names that are pronounced the same, but written in a different manner – like Danielle or Daniel. Misspelling can easily happen and the data subject might want to check that the name is correctly spelled. Also, the data subject might suspect their data is being used for different purposes than what he originally consented to. Again, in this case, he has the right to verify all the purposes of the processing. Be careful that before answering affirmatively to an access request. The controller should first verify the identity of the data subject to make sure the one making the request is not an impostor.
Right to rectification
Article 16 of the GDPR states that:
The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
Rectification may be requested when the name, address or any other information has been misspelled. Usually, the data subject will first request access in order to verify if the data has been indeed misspelled. If it has been, rectification should be made as soon as possible. Another scenario where rectification will be needed is the case when some information is changed – for example the home address. The time frame to address a rectification is one month. In case of complex and/or high volume requests the controller can seek an extension for up to two additional months.
Access and rectification are two rights that usually go hand in hand. The most important modification that the GDPR brings is the shorter time frame. Also, the no fee rule is a great step towards the GDPR’s main goal: giving back the power over their personal data to the individuals. In the next posts of this series, we will continue discussing EU citizens’ rights, hoping to make your way to GDPR compliance easier.