Exercising your GDPR Rights – your right of access: Receiving information about your data
Your Right of Access
The GDPR gives individuals in the EU a set of data protection rights that can be asserted against those who are using our personal data on a scale like never before.
However, what does it mean to assert those rights in practice? And what can we do as individuals to ensure that those companies and governments respect and uphold our rights?
The GDPR refers to the private and public entities who decide why and how our personal information is used as “controllers”. By accessing their services or using their products, controllers can build up a detailed profile of you. Controllers do this so they can advertise other services or products to you, direct you to other content, or sell your information to third parties.
The GDPR requires controllers to make use of this data in a way that is legal and upholds your rights. If a controller breaks these rules, they may be subject to penalties such as a fine.
However, to know if a controller is violating your data protection rights, you may first need to know more about the data they already have on you.
Article 15 as your initial enforcement tool
Article 15 GDPR (also known as “a right of access”) allows you to know what information companies have about you, why they have it, and what they are doing with it.
Think of Article 15 as your preliminary tool for enforcing your data rights; without the information to which you are entitled under Article 15, successfully enforcing your other data rights will likely be more difficult. For example, you would not be able to ensure that a company deletes all the data it has on you if you do not know the full extent of what they have in the first place. By exercising your right of access, you may also discover that some of your other data rights are being violated by a controller without your knowledge.
What can Article 15 do for me?
Article 15 GDPR provides you with several different but related rights. It provides you with:
- a right to know whether the controller has data about you, and if so, what that data is;
- a right to information about that data (e.g. who receives it, why does the controller use it, how long will it be kept, where they obtained it from);
- a right to a copy of this data and information – free of charge.
The difference between “your data” and “information about your data” is subtle yet important. If you ask a controller only for a copy of your data, all you might receive in return is a copy of the personal data they have collected about you (e.g. your age, date of birth, sex, nationality, etc). While this is a good start, this will not give you the full picture to which you are entitled under Article 15 GDPR.
Your right of access to information about that data entitles you to be informed of all the following:
- why the controller has that data about you;
- the categories of that data, such as if the data is sensitive and requires special protection;
- if the controller has shared your data with third parties and if so, who those parties are;
- for how long the controller stores your data;
- the other rights you have against a controller, including the right to correct your data, to delete your data (in certain circumstances), or to restrict or object to the controller using your data;
- if the controller did not get your personal data directly from you, any sources they did get it from;
- if the controller uses your data in an automated decision-making process, such as for AI purposes or where your data is entered into an algorithm, “meaningful” information about the logic behind that algorithm, and the significance and consequences the controller foresees for using your information in this way;
- if the data are sent outside of the European Union and, if so, which safeguards are in place to protect your data.
How do I exercise these rights? Making a subject access request
The best way to exercise your rights under Article 15 is to request a copy of the data and information above – this process is sometimes referred to as “making a subject access request” or “making an access request”. Making an access request is as easy as tying your shoelaces – it seems daunting at first, but is simple once you know how.
An access request can be done by email, letter, or even fax, as long as you leave a written record of the request. You can simply email (or address your letter to) a company or state body whose usage of your data you want to know more about.
Specify your name or other identifier used by the controller (e.g an account username) and that you are seeking a confirmation that the controller is processing your data, a copy of all data being processed, and any additional information you would like to have about that data (see our list above).
Include the date in the text if you put your request in an attachment to the email or in a letter. This clarifies the controller’s deadline for providing the information.
To help the controller address your request more efficiently, include some information that would help to identify your account, such as your phone number (if you gave it when you signed up), username or account name, or IP address. This will be particularly helpful if you have a common first name and surname.
Specify how you would like to receive the information (eg. electronically, via an email address).
If you prefer, you can also use the tools provided by mydatadoneright.eu. Their system will write and send the access request for you.
Once the controller receives your request, they have one month to respond.
The controller must communicate this information to you in a concise manner that:
- uses unambiguous language (it should be clear what is happening to your data)
- provides you with concrete and definitive information,
- no abstract phrases or ambivalent explanations, such as “data may be transferred to a third country”,
- refrains from using overly legalistic, technical or specialist language or terminology,
- avoids information fatigue (i.e. it does not deliberately overwhelm you with information).
Generally, this information must be provided to you in writing, but it can be communicated to you via electronic means (eg via email), or it can be provided orally if you request it.
What should I do if I find my rights have been violated?
If you receive this information and subsequently find that your other data protection rights have been infringed by the controller, you may be entitled to have your data deleted or corrected, restrict the controller from processing your data further or file a complaint about the controller with a data protection authority (see our “Exercise your rights” page).
If you need assistance in assessing the legal elements of a controller’s reply, you can contact us at firstname.lastname@example.org to discuss further steps.