Page Contents

Answer

When someone requests access to their personal data, your company/organisation must:

  • confirm whether or not it is processing personal data concerning them;
  • provide a copy of the personal data it holds about them;
  • provide information about the processing (such as purposes, categories of personal data, recipients, etc.)

Your company/organisation  must provide the individual with a copy of their personal data  free of charge.  However, a reasonable fee can be charged for further copies.

The exercise of the right of access is closely linked to the exercise of the right to data portability – to allow the individual to transmit their data to another organisation.

It is important that, in your company/organisation's Privacy Notice, there is a clear distinction between the two rights.  Therefore,  both rights need to be briefly mentioned separately.

Example

Your company/organisation provides an online social networking service whereby individuals can exchange messages and pictures. A user requests to access their personal data and to verify what personal data which concerns them is processed by your company/organisation. Your company/organisation  must confirm that it is processing personal data which concerns them and provide a copy (such as  name, contact details, messages and pictures exchanged). Your company/organisation must also provide them with information about the processing – usually that would be in the privacy notice of your service.

References

  • Article 15 and Recitals (63) and (64) of the GDPR