The General Data Protection Regulation (GDPR) is a set of European Union laws that sets guidelines for how companies must handle the personal data of customers and employees.
It gives individuals more control over their data, including the right to access it, have it corrected or deleted, and even transfer it to another company.
Understanding how the GDPR works can help ensure your rights are respected when handling your personal information. In this post we will answer the question "How to access your personal data under the GDPR”.
Read more about your GDPR rights here: https://www.mycase.ie/post/gdpr-for-individuals-your-rights-under-the-gdpr
What Is The Right Of Access?
The General Data Protection Regulation (GDPR), under Article 15, gives individuals the right to access the data held by companies. These requests are often referred to as ‘data subject access requests', or ‘access requests'.
This means you have the right to know what kind of information is being collected about you, why it’s being collected and how it’s being used. You also have the right to access all your free data in an easily readable format.
Here's what you need to know about accessing your personal data under the GDPR.
1. Know Your Rights
First and foremost, you should familiarise yourself with the GDPR and understand your rights as a data subject. The GDPR gives individuals the right to access personal information, have it corrected or deleted, and even transfer it to another company.
Knowing what these rights are will help you assert them when necessary. Under the GDPR, you have the right to:
- Access Your Information: You have the right to access your data held by a company. This includes any information they have collected about you and how it is used.
- Have Data Corrected Or Deleted: If inaccurate or incomplete data is stored in your profile, you have the right to request that it be corrected or deleted.
- Transfer Your Data: You also have the right to transfer your data from one company to another in a secure and commonly used format.
2. Request Access
If you want to access your data, you must make a formal request to the company that is collecting the information. This request should be made in writing and include details about what information you’re requesting and why. You may also need to provide identification documents such as a passport or driver’s license.
3. Receive Your Data
Once the company receives your request, they must respond within one month. They should provide your personal data in an easily readable electronic format and explain its use.
If the company doesn’t comply with your request or charges a fee for providing the information, you may have grounds to file a complaint with the relevant supervisory authority.
4. Understand Your Data
Once you receive your data, review it carefully and ensure that it is accurate and up-to-date. If you find any errors or omissions, you can contact the company and request they make changes to correct them.
Why Is Accessing Your Personal Data Important?
Accessing your personal data is essential because it gives you the power to take control of your information. By knowing what’s being collected about you, how it’s being used and who has access to it, you can ensure that your data is secure and only used for legitimate purposes.
Understanding your rights under the GDPR can also help you protect yourself from data breaches and identity theft. Identity theft can have serious consequences, so it’s important to take steps to protect yourself.
By accessing your personal data, you can make sure that it is accurate and up-to-date. This will help ensure that companies only use your data for legitimate purposes and do not share it with third parties without your consent. It also enables you to take control of your data and ensure that it is being used in a way you are comfortable with.
How Do I Make An Access Request Under Data Protection Law?
If you want to make an access request under data protection law, there are a few steps you need to take.
1. Make Your Request In Writing
Submit your request promptly and in writing via email or a physical letter. Be sure to explicitly state that you are making an access request, also known as a data subject access request; this way, both parties will have documented evidence of the details should any issues arise later on.
Some large companies even allow users to download their personal information via their websites instantly. Companies must respond to requests within one month.
2. Specify What Information You Want To Access
When making your request, specify exactly what information you want access to and why. This could include contact details, bank account numbers, or any other personal data the company has collected about you.
Depending on the type of information requested, the company may need additional proof of identification to confirm your identity before releasing your data.
3. Contact The Relevant Data Protection Officer
The GDPR also requires companies to appoint a Data Protection Officer responsible for handling access requests. If the company doesn’t have a designated DPO, you can contact them directly and ask how they handle access requests.
4. Send Proof Of Your Identity
To process your request, the company may need proof of your identity. They may require a copy of your passport, driver’s license or other forms of identification to verify who is making the request.
Suppose the department cannot verify the identity of a requester or has concerns over its authenticity. In that case, it will pause the one-month timeline until proper identification has been established.
In cases where requests are intricate or multiple, an extension of up to two months may be given for compliance - should this happen, you'll be notified within one month and discover why a such extension is compulsory.
5. Costs
Subject Access Requests are free of charge. Nevertheless, the department reserves its right to levy a 'reasonable fee' if your request is excessive or repetitive. Data Controller is also allowed to charge a reasonable fee, based on administrative costs, where an individual requests additional copies of their personal data undergoing processing.
6. Complaints
If you are unhappy with the response you receive from the company, you may have grounds to file a complaint with the relevant supervisory authority. They will investigate your complaint and take action as needed.
Are There Any Limits To My Right Of Access?
Under Article 12(5) GDPR, companies may restrict access to your data in limited circumstances. This includes when access would reveal the personal data of another individual or when it would undermine the rights and freedoms of others.
In these cases, companies must provide a reason why they have restricted access to your data and provide alternative remedies, such as allowing you to change the information or correct any errors in the data.
The GDPR also states that companies have the right to refuse requests for access if it would require a disproportionate effort or if it would be impossible for them to comply due to technological constraints. If this is the case, they should explain why they cannot respond to your request and offer alternative remedies.
The Bottom Line!
The General Data Protection Regulation (GDPR) gives individuals the right to access their own personal data held by companies. This includes any information they have collected about you and how it is used.
Knowing your rights under the GDPR can help you protect yourself from data breaches and identity theft and ensure that your data is handled responsibly. If you want to access your data, you must make a formal request to the company collecting it and provide proof of identification if necessary.
The company should provide your data in an easily readable format within one month. If you are unhappy with the response you receive from the company, you may have grounds to file a complaint with the relevant supervisory authority. They will investigate your complaint and take action as needed.