Article 15 states that the data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data...
Article 16 to Article 22 contain specific requirements for controller's to comply with in respect of a data subject's rights. These include the rights to rectification, erasure (be forgotten), restriction of processing, data portability, the right to object and the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her.
The controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.
If the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.
The GDPR compliance app provides a utility for you to manage access requests from data subjects.
The content herein is provided for your convenience and does not constitute legal advice.
Compliance Technology Solutions B.V. 2018