When you receive a request for access to personal data ensure that:
the request is for access to personal data
the requester's identity has been verified
in the case of a child, where appropriate, a parent's involvement has been clarified
details of the request have been clarified
fees, where appropriate, have been agreed
all search locations have been identified
where relevant, the disclosure (or not) of the personal data of third party individuals has been properly managed
the prescribed information will be included in the response to the requester (Article 15)
the disclosure will not prejudice other data subject
you understand the different rights of data subjects which are associated with access
any changes to personal data are communicated to all recipients (processors and other controllers)
(The GDPR compliance app provides a detailed response guide)
The data subject has the right to obtain from the controller, confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data. Additional information – similar to what should be on your privacy notice – must be supplied, including the rights of data subjects to rectification or erasure of personal data or restriction of processing concerning the data subject and to object to processing as well as the right to data portability.
The controller should be obliged to respond to requests from the data subject without undue delay and at the latest within one month and to give reasons where the controller does not intend to comply with any such requests.
Where personal data are transferred to a third country or to an international organisation, the data subject has the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.
The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.
The right to obtain a copy shall not adversely affect the rights and freedoms of others – be aware e.g. that the disclosure to the data subject could possibly include other data subjects’ personal data.
Where possible, the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to his or her personal data. That right should not adversely affect the rights or freedoms of others, including trade secrets or intellectual property and in particular the copyright protecting the software. However, the result of those considerations should not be a refusal to provide all information to the data subject.
The controller should use all reasonable measures to verify the identity of a data subject who requests access, in particular in the context of online services and online identifiers. A controller should not retain personal data for the sole purpose of being able to react to potential requests.
Where the controller is able to demonstrate that it is not in a position to identify the data subject, the controller shall inform the data subject accordingly, if possible. In such cases, Articles 15 to 20 shall not apply except where the data subject, for the purpose of exercising his or her rights under those articles, provides additional information enabling his or her identification.
The content herein is provided for your convenience and does not constitute legal advice.
Compliance Technology Solutions B.V. 2018