The European Union’s General Data Protection Regulation (GDPR) is the first-ever comprehensive data privacy law, inspiring almost every global regulation today. The regulation fosters transparency, accountability, and user empowerment.
Chapter 3 of the regulation empowers data subjects (users) to exercise significant control over their data collection, processing, and transfer. Moreover, data subjects can request erasure, portability, and rectification of personal data.
Amongst all the other rights outlined in Chapter 3, the right to access personal data stands out the most. Article 15 of the regulation outlines a comprehensive set of provisions related to the right of access, providing enhanced transparency to data subjects. By exercising this right, users can request businesses to provide information related to the categories of personal data collected and the purpose of processing, along with other details.
Understanding the provisions GDPR provides under Article 15 is crucial for compliance, especially if an entity operates in the EU or serves users in the EU. Comprehending those provisions and ensuring compliance with the regulation also fosters trust.
Read on to discover more about the key provisions of Article 15, how to address data subjects’ requests, and how to avoid the legal consequences of not fulfilling the requests.
GDPR Article 15 - Complimenting the Transparency Requirement of the Law
The synergy of Article 15 of GDPR, which grants data subjects the right to access, and Article 12 (transparency) is crucial, enabling the data subjects to exercise their rights more effectively. For instance, data subjects cannot effectively exercise their right to rectify or delete personal data if they can not access information on what categories of personal data are collected or if any personal data, such as the data subject’s contact details, requires any correction.
So, without further ado, let’s get down to the fundamental provisions of Article 15 of the GDPR.
Important Components of Article 15
Purpose of the Processing
Article 15(1)(a) mandates that a data controller must communicate the specific purposes for processing an individual's data. While the provision itself doesn't explicitly require disclosure of the legal basis for each purpose, including this information is crucial for the data subject to assess the lawfulness of the processing. In line with GDPR Article 12(2) and to facilitate the exercise of data subjects' rights, it is recommended that controllers not only specify the processing purposes but also inform the data subject about the relevant legal basis for each operation or provide clear directions on where to find this information. Regardless, transparent processing principles necessitate that information about the legal bases of data processing be made easily accessible to the data subject, such as through a privacy notice.
Recipients & Categories of Personal Data
The provision specifies that data subjects have the right to request businesses the list of recipients and the categories of recipients with whom their personal data is or will be shared. Data controllers often use generic categories when disclosing recipients, which conflicts with the core purpose of the right of access. This right aims to empower data subjects to "be aware of, and verify, the lawfulness of the processing" (Recital 63). To fulfill this objective, the information provided should be as specific as possible, allowing data subjects to understand and assess the sharing of their data. The current reliance on generic categories falls short of achieving this goal. To enhance the effectiveness of data subject rights and support informed decision-making, the name of the recipient must be disclosed if the data subject requests so.
Retention of Personal Data
Article 15 requires entities to disclose the retention period of the data to data subjects when requested. If the personal data is retained for an understood period of time, entities must disclose it to the data subject. However, in cases where the retention period isn’t pre-defined or contemplated, entities must indicate the criteria that are used to determine the retention period.
Data Collection from Other Sources
Organizations usually collect personal data directly from data subjects. For instance, a data subject may provide data via a sign-up form or a survey, etc. However, there are some instances where organizations may collect data indirectly, such as from data brokers or third-party service providers. In this scenario, organizations must provide data subjects with “any available information” regarding the other sources from where they collected the personal data.
Other Rights Granted by the GDPR
GDPR further empowers data subjects to request to be informed about any other rights provided by the law, for instance, the right to rectify incorrect or erroneous personal data collected by the business. The right of erasure allows data subjects to request entities for the deletion of their personal data. Moreover, data subjects may further object and restrict the processing of their personal data.
Provision Regarding Automated Decision-Making
The provision requires businesses to inform the data subjects about automated decision-making carried out with their personal data. Organizations leverage automated tools and AI algorithms to make such decisions, especially for user profiling. The provision further demands that businesses must inform the data subject how these decisions are made, i.e., the logic behind those decisions and their importance. Businesses should also inform data subjects about the potential impact or implications of automated decision-making. When a data subject seeks information about automated decisions, the response should include not only details of the decision but also information on the safeguards and mechanisms available to contest or challenge the decision, as outlined in Article 22 of the GDPR.
Cross-Border Data Transfer
GDPR places immense importance on transparency and safeguarding individuals’ personal data. Hence, it enumerates that the data subjects have the right to be informed about any international data transfers and the data protection safeguards under Article 46 of GDPR that are in place to protect the integrity of personal data. These safeguards ensure that the data remains protected according to the data protection regulations even when it crosses national borders.
Request for the Copy of Personal Data
The provision requires businesses to provide data subjects with a copy of their personal data. However, the provision further clarifies that the right to provide a copy of personal data should not adversely affect the rights or freedom of others. Furthermore, if the request is made electronically and no specific format is provided, entities can opt for common electronic formats to entertain the request. Additional requests for copies may be subject to a reasonable fee, considering the organization’s administrative costs.
Right to Complain
The right of an individual to lodge a complaint with a data supervisory authority should be disclosed, along with the other mandated information.
Limits
The right of access, as outlined in Article 15 of the GDPR, is subject to certain limitations. These limitations include considerations for the rights and freedoms of others (Article 15(4) GDPR) and addressing manifestly unfounded or excessive requests (Article 12(5) GDPR). Additionally, Union or Member State law may impose restrictions on the right of access, aligning with Article 23 of GDPR. Exceptions to the processing of personal data for purposes such as scientific, historical research, statistical analysis, or archiving in the public interest can be applied as per Articles 89(2) and 89(3) GDPR. Similarly, processing conducted for journalistic purposes, as well as academic, artistic, or literary expression, are exempted under Article 85(2) GDPR.
Individuals Who Can Exercise Article 15
Data subjects residing in the European Union countries and whose personal data is collected by entities operating in the EU or serving EU members outside the region can exercise their right to access personal data. It is equally important to know for EU data subjects that the right to access or any other right can be requested directly with data controllers. In some other instances, data subjects can also indirectly invoke their rights through a representative.
Organizations must identify data subjects’ rights and act accordingly without undue delay or within one month of the recipient of the request. When there’s a delay in responding to the data subject’s request, entities may extend the timeline for two months, considering the complexity and number of the requests. However, the extended time should appropriately be communicated to the data subjects.
Data subjects can take the matter to court if an organization fails to respond to the DSAR. The data subject can take legal action against the damages suffered due to the consequences of non-compliance.
Therefore, it is imperative for organizations to have effective mechanisms in place to fulfill DSARs in a timely fashion. Organizations must verify the data subject's identity to process only valid requests. Processes and requests should be documented to fulfill RoPA provisions and demonstrate compliance.
Streamline & Automate DSARs with Securiti PrivacyOps
Managing data subjects’ DSAR requests can be complex and challenging. Large organizations have large volumes of data, which are often spread across multiple systems, cloud service providers, and geographies. Discovering such a vast amount of data, inventorying it, and linking it with individuals can be difficult without automation.
Securiti Privacy Center is built to help organizations comply with various global data privacy obligations while building trust. Fully functional in minutes, Privacy Center offers integrated regulatory intelligence, an elegant consumer frontend, and an automated backend. The platform enables organizations to leverage robotic assistance to manage DSARs in a timely manner automatically.
Set up your Privacy Center now!