In this multipart guide, we will be assessing your rights and obligations in the rapidly approaching GDPR, equipping you with the knowledge to stay secure once the new regulation comes into play.
“The GDPR clarifies that the reason for allowing individuals to access their personal data
is so that they are aware of and can verify the lawfulness of the processing.”
- Recital 63 in regards to the Right of Access under the upcoming GDPR
Right of access
Under the EU’s General Data Protection Regulation, any individual has the right to access their personal data and supplementary information. This individual also should be aware of and be able to verify the legality of the data processing by the holder of the personal data.
Complying with an access request
As a business, you need to ensure that any individual can obtain confirmation that their data is being processed, access to their personal data, and any other supplementary information (often representing similar information to the privacy notice, as stated in Article 15).
Before fulfilling the data access request, you are obligated to verify the identity of the person making the request using ‘reasonable means’.
How to present the information
While there is no direct presentation method described, the GDPR includes a best practise recommendation that, where possible, organisations should be able to provide remote access to a secure self-service system which would provide the individual with direct access to his or her information. (Recital 63)
While this will not be appropriate for all organisations, this should be used where possible. The GDPR does however state that if the request is made electronically, you should provide the information in a commonly used and generally accessible electronic format.
It is essential that the right to obtain a copy of information or to access personal data through a remotely accessed secure system should not adversely affect the rights and freedoms of any other individuals.
How long do I have to comply?
Information requests must be fulfilled without delay, within a maximum of one month of receipt. This compliance period is expendable by a further two months, where requests are complex or numerous. If this is the case, you must inform the individual within one month of receipt of the access request, giving a reasonably detailed explanation of why the extension is necessary.
Can I charge an administrative fee?
This information must be supplied free of charge, although you are entitled to charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly is the applicant has made multiple, repetitive requests.
If the individual then requests further copies of the same information, you are allowed to charge a ‘reasonable fee’ for this, however this does NOT mean you can charge for all subsequent data access requests.
Either way, the fee charged must be based on the administrative cost of providing the information.
Dealing with excessive or unfounded data requests
If you believe a data request to be manifestly unfounded or excessive, you are entitled to charge a reasonable fee, taking into account the administrative costs of providing the information, or refuse to respond.
If you refuse to respond to a request however, you are obligated to explain why to the individual, as well as explaining their right to complain to the supervisory authority and to a judicial remedy without undue delay and within a one-month time span.
If the individual requests a large amount of data, the GDPR permits you to ask the individual to specify the information the request relates to. You must note, that the GDPR does NOT include an exemption for requests that relate to large amounts of data, but you may be able to consider whether the request is manifestly unfounded or excessive.
To find out more about GDPR compliance within your business and best practise for data processing, give MarketDeveloper a call today on +44 1784 432 082.