The right of access gives the individual the ability to learn whether his or her personal data are being processed. If an individual’s personal data are being processed, the individual has the ability to obtain the following information:
- The purposes of the processing;
- The categories of personal data being processed;
- The recipients or categories of recipients to whom the personal data have been or will be disclosed;
- How long the personal data will be stored (or the criteria by which that time period is determined);
- Where the personal data are not collected from the individual, the source of the personal data
- The nature of any automated decision-making, including profiling, applied to the personal data
- Where personal data are transferred to a third country or to an international organization, the appropriate safeguards applicable to the transfer.
In addition, the individual has the ability to take remedial actions:
- Request rectification or correction of his or her personal data
- Request erasure of his or her personal data
- Request restriction of processing of his or her personal data or object to such processing
- Lodge a complaint with a supervisory authority
As mentioned above, the individual is to be provided a copy of the personal data being processed unless it adversely affects the rights and freedoms of others. A reasonable fee based on administrative costs may be charged if any additional copies are requested by the individual. Where the request is made by electronic means, the response should be provided in a commonly used electronic form unless the individual requests otherwise.
This blog is the sixth in a series of blogs that describes and explains the eight individual rights set forth in the GDPR. If you don’t want to wait until the next blog to learn more about the GDPR and the individual rights in the GDPR, take a look at GDPRsimple, http://www.keepgdprsimple.com, an automated web and mobile tool, that can help SMEs implement the GDPR and demonstrate their implementation.