When someone requests access to their personal data, your company/organisation must:
- confirm whether or not it is processing personal data concerning them;
- provide a copy of the personal data it holds about them;
- provide information about the processing (such as purposes, categories of personal data, recipients, etc.)
Your company/organisation must provide the individual with a copy of their personal data free of charge. However, a reasonable fee can be charged for further copies.
The exercise of the right of access is closely linked to the exercise of the right to data portability – to allow the individual to transmit their data to another organisation.
It is important that, in your company/organisation's Privacy Notice, there is a clear distinction between the two rights. Therefore, both rights need to be briefly mentioned separately.
Your company/organisation provides an online social networking service whereby individuals can exchange messages and pictures. A user requests to access their personal data and to verify what personal data which concerns them is processed by your company/organisation. Your company/organisation must confirm that it is processing personal data which concerns them and provide a copy (such as name, contact details, messages and pictures exchanged). Your company/organisation must also provide them with information about the processing – usually that would be in the privacy notice of your service.
- Article 15 and Recitals (63) and (64) of the GDPR