The right of access is intended to enable the person to obtain an overview of the data stored about them in order to be able to assert further rights (e.g. right to erasure, right to rectification).
The company must not only provide information about the data or data categories, but also other circumstances relating to processing, such as the purposes of processing, the recipients (categories), the storage period of the data, the origin of the data, the existence of a so-called ‘automated individual decision’ and the existence of other rights of data subjects (e.g. the right to erasure).
If the company also transfers data to a third country and uses a data protection guarantee such as the EU standard contractual clauses, the person must also be informed of this.
As with the other data subject rights, the right of access must be answered within one month. An electronic request for information from the person must also be answered electronically, if feasible.
If no personal data is available, the person must also be informed of this (so-called negative information).
Process for handling data subject requests A process for handling data subject requests must be defined and documented. Suitable means: data subject rights directive.
Assignment of responsibilities for handling data subject requests Assignment of responsiblities (e.g. for answering access to information requested by data subjects). Suitable means: data subject rights directive.
>> Find out which other data protection obligations have to be considered with respect to European data protection law.
.png){kind=small}
.png){kind=small}
.png){kind=small}
.png){kind=small}
