How to: Comply with the right of access under the GDPR

How to Comply with the Right to Information under GDPR

Article 15 of the General Data Protection Regulation (GDPR) plays a significant role in the lives of many individuals who are concerned about their personal data. This article describes and regulates the right to access personal data and information processed by companies or other institutions. In essence, the right to access is a crucial component of the GDPR, governing the rights of data subjects. Companies, in particular, are challenged when applying this article, making it advisable for every business owner to inform themselves in advance about all rights and obligations and prepare to handle initial information requests and make the right decisions.

Companies, authorities, institutions, and individuals need to be aware that the GDPR has been in effect since May 25, 2018, covering various data subject rights. When considering these data subject rights, it addresses how private data may be stored and used. An essential part of these rights is defined in Article 15 of the GDPR, which outlines the right to information for all data subjects regarding their personal data. For companies, it raises questions about whether there is an obligation to provide information and when a data subject has the right to request information. At the same time, it needs to be clarified how to make a request for information and what costs may be incurred.

How is the right to information defined?

Since May 25, 2018, Article 15 of the GDPR has regulated the rights of data subjects to request information about their personal data. This means that a company processing personal data must provide a data subject with an overview of the data and information that is stored. It's important to note that the data subject rights of Article 15 of the GDPR not only include basic data, which typically consist of a name and an address, but also define the relevant communication and internal notes as pertinent. To provide a comprehensive overview to data subjects, the communication should provide context. If this is not the case, complete documents must be provided as copies.

What are the costs associated with an information request?

When a data subject requests information about their personal data, this information must generally be provided free of charge. However, Article 15 of the GDPR specifies that only the first copy of the requested information is considered free of charge. If unwarranted or frequently recurring requests are received, costs can be billed, or the information can be denied. Such cases are addressed in Article 12(5) of the GDPR.

Information Provision and Data Protection

The data subject rights outlined in Article 15 of the GDPR provide individuals with the opportunity to access their personal data, but it's important to note that the right to information is also subject to data protection regulations. According to Article 15 of the GDPR, information must only be provided if it safeguards the freedoms and rights of other individuals involved. This definition allows for the preservation of trade secrets and business confidentiality. However, Article 15 does not allow for a complete denial of information, and passages related to data protection should be redacted. In some cases, the right to information may be restricted, particularly in cases of threats to public safety, which are governed by the Federal Data Protection Act, the Tax Code, and the Social Code.

For companies, every information request presents a challenge, and some companies may try to argue that the effort is disproportionate. Disproportionality does not solely arise from the effort involved. It should not be assumed that the volume of requested data necessarily leads to high costs. The fact is that personal data that is stored and processed extensively usually holds high relevance, making the right to information more pronounced. Therefore, companies claiming disproportionality in most cases are unlikely to succeed.

What information must be included in an information request under Article 15 of the GDPR?

When a person submits a request for information, there is currently no universally applicable form that can be used. Therefore, a company must design an information request form itself. It is important that the information request includes all the information relevant to data subject rights. At the same time, the information request must be clearly presented:

• The information must be provided in precise language
• It must be presented transparently
• The information must be understandable
• The information must be easily accessible to the recipient

The content of an information request is also clearly defined by the GDPR. If an information request is to be fulfilled, the following items must be provided to the data subject:

• The exact purposes of data processing
• A description of the data being processed
• The planned storage duration
• Recipients and any further recipients of personal information
• Criteria for determining the storage duration
• All rights involving correction, restriction, or processing
• The right to object to data processing
• The right to file a complaint with the relevant supervisory authority
• Clarification of data origin if the data was not collected internally
• All data collected through a service or device

Even if a company does not process or has not processed any personal data of an individual, it must provide a so-called negative response. According to Article 5(2) of the GDPR, accountability is required in this case. Information requests should be internally documented. If you want to learn more about providing information or a negative response, you can contact the experts at heydata. Their expertise in GDPR and data protection helps companies make the right decisions, especially regarding Article 15 of the GDPR.

How can a data subject exercise the right to information?

If an individual wishes to make a request for information under Article 15 of the GDPR, the request does not need to be justified. Therefore, a formal request from the data subject to the recipient is entirely sufficient. When a company receives a request, it must ensure that the requested data is not sent to unauthorized individuals and that data protection is maintained. Therefore, it is essential for the requester to be clearly identified by the company. If a clear identification of the requester is not possible, Article 12(6) of the GDPR should be observed, allowing a company to request a copy of the identity documents in exceptional cases. In this case, the name, address, date of birth, and validity period of the identification card should suffice. The requester can obscure additional data by redacting it. The company must ensure that the received copy of the identification document is not stored under any circumstances.

Within what timeframe must information be provided under Article 15 of the GDPR?

When a data subject requests information under Article 15 and asks for information regarding their personal data, this request must be processed promptly. Article 12(3) of the GDPR defines a deadline of one month after the request is made. In the case of a complex request, the deadline can be extended by two months. In general, if a delay is expected, the data subject must be contacted within the first month. In this case, an obligation to provide information exists.

Especially with the first data request, there is often a high demand for information. In such cases, it is advisable to make use of heydata's high expertise and seek guidance on how to create GDPR-compliant information provision through a personal consultation.