Article 15

Right of access by the data subject

Overview:

Article 15 outlines the rights of the data subject to access their personal data processed by the data controller. This includes:

  1. Paragraph 1:
  2. The right of the data subject to ask the controllers whether their personal data is being processed.
  3. Details on the purpose of processing.
  4. Details on the type of personal data involved in the processing (eg: name , address, email etc.)
  5. Will the data be shared with third-parties( recipients)?. If yes, the categories of the recipients and their details.
  6. How long will the data be stored and how did they decide on the retention period?
  7. The right of the data subject to request rectification, erasure, or restriction of processing
  8. The information on the data subjects the right to lodge a complaint with a supervisory authority.
  9. If the personal data is not collected directly by the controller, the details and information about the source.
  10. If automated decision-making, including profiling, is involved in processing of personal data, the controller needs to explain the logic involved and the consequences (impact)  of the processing on the data subject.

Paragraph 2:

  1. The controller should inform the data subject if the data is transferred outside the EU or another country . The controller should also brief the data subject on the security measures/safeguards that they have taken during such transfer.

Paragraph 3:

  1. The controller shall provide a copy of the personal data upon the request of the data subject. The first copy of the personal data must be provided for free.
  2. The controller can charge a reasonable fee for administrative expenses for subsequent copies of the data.
  3. If the request from the data subject is in electronic medium, the controller shall provide the data in a common electronic format.

Paragraph 4:

  1.  While providing access to the personal data of a data subject, the controller should ensure that the access does not violate the privacy rights of other data subjects (eg: medical records that includes diagnosis report of other family members, email communication that has details of multiple individuals.
  2. If the controller feels that the provisioning access request of the data subject violates the rights of the data subject, , the controller can withhold the information and also inform the requester on the reason for this.

Implementation Guidance

  1. Establish a clear process for handling data Subject Access Request ( DSARs)
  2. Prepare  data inventory 
  3. Define processes and procedures for handling DSARs
  4. Keep a record of all the transactions ( request, responses etc.)
  5. Ensure that the team is trained for handling all the requirements mentioned in Article 15
  6. Ensure that Privacy policy addresses these requirements
  7. Publish a privacy notice addressing these requirements 

Compliance Checklist

  1. Privacy policy
  2. Privacy notice
  3. Data Subject Notification Template
  4. Record of Processing Activities (ROPA)
  5.  Data Subject Access Request (DSAR) Policy
  6. DSAR Procedure Document
  7. Data Subject Identity Verification Process
  8. Personal Data Inventory and Mapping Document
  9. Data Retention Policy
  10. DSAR Response Template
  11. Staff Training Records on DSAR Handling
  12. DSAR Log (Record of Requests and Responses)
  13. Data Processing Register (including purposes, categories, recipients, retention periods)
  14. Automated Decision-Making and Profiling Documentation (if applicable)
  15. Data Protection Impact Assessment (DPIA) for high-risk processing activities
  16. Information Security Policy
  17. Data Breach Response Plan
  18. Consent Management Records
  19. Third-party Data Sharing Agreements

Examples and Use Cases

  1. A customer of an online apparels portal requests details of the personal data stored with them. They provide the details of the personal data of the customers they possess, the marketing preferences, and how the data is being used by them. They have also provided the link to the privacy notice and also asked them to verify and inform them if any change is required.
  2. A patient submits a request to a health care provider on the personal data being processed. The health care provider provides all the information including the name, address, details of medical test reports and also explains how the data is being used for further treatment / diagnosis.
  3. A customer request for all the data related to a  complaint raised against a store employee. The store has withhold the personal data of the store employee and provide all the other required data to the customer. They have also given the justification for withholding the personal data as this is a violation of the privacy rights of the store employee.
Scroll to Top