Article 15- Right of access by the data subject

Image credit: everypixel.com

The GDPR has provisions related to rights of data subjects. The data subject is none other than  the common man like you and me. This Regulation has empowered individuals to such an extent that they can now ask data controllers (entities that have collected their personal data for processing) what exactly they are doing with it which was erstwhile next to impossible to do!

Pre-GDPR, it was very difficult to request information from a controller let alone asking for information pertaining to the processing of our very own data. However ironic it may seem, we had no control over our own details and how it is being used. In the absence of a clear regulation, we had no choice but to gullibly provide our personal details to data controllers in order to get services but with GDPR the tables have turned!

GDPR provides for a slew of rights and today we will analyse the right of access. The data subject can under Article 15 do the following:

  1. It can ask the data controller whether it is processing its data and if it is, then the data subject can have access to the data being processed along with the additional information:
  • The purpose of the processing
  • The categories of personal data that are being processed
  • The recipients of the personal data especially in third countries or international organizations
  • The time period for which the data shall be stored or a criteria to determine that period
  • The right to rectify, erase or object to the personal data that is being processed
  • The right to lodge a complaint with a supervisory authority
  • Any availability of information when personal data is not collected
  • The existence of automated decision making and if in use, then the logic involved to process the data through automatic means
  1. Not only access to the information listed above, the data subject also has the right to know about the safeguards that have been put in place when personal data is being transferred to a third country or an organization
  2. The data subject shall have the right to get a copy of the personal data undergoing processing and it shall be free of any cost unless additional copies are requested. It must be noted that the GDPR has not defined any lower or upper limit on the fees being charged and only the term ‘reasonable’ has been used. The information can be provided in an electronic form if requested by the data subject electronically.
  3. Whenever a data subject requests access to information, it must not affect the rights and freedom of others. In clearer terms, this would also mean that the intellectual property rights or the trade trade secrets of the data controller must not be jeopardised. However, this is not a ground for the data controller to refuse access to the data subject and each request must be carefully considered. 

The above is a clear indicator as to how an individual can gain access to the database of a data controller and get all the details concerning oneself. This is a very effective means of keeping in check any arbitrary actions being taken by the data controller under the guise of offering services to the data subjects. 

With the speedy implementation of GDPR, many instances have arisen where customers have demanded access to their personal data. Any failure to grant access has always attracted the ire of the Data Protection Authority thereby empowering the individual even further. This is a welcome step in the right direction in a world where the lines between private and public information are getting blurred with each passing day.