Article 15 of the GDPR: Right of access of the data subject

Article 15 of the GDPR enshrines the Right of access personal data. It allows anyone to know if data concerning them is being processed and to obtain a copy, accompanied by precise information on this processing.

Article 15 of the GDPR explained

The data subject has the right to obtain from the controller:

Confirmation that data concerning it is or is not processed;
Access to this data;
And the following information:
- Purposes of processing,
- Categories of data concerned,
- Recipients or categories of recipients,
- Expected shelf life,
- Existence of rights of rectification, erasure, limitation or opposition,
- Right to complain to a supervisory authority,
- Source of data (if not collected from the person),
- Existence of automated decision-making.

The person can also request one free copy its data (electronic format for an online request).

Why is this article important for your GDPR compliance?

The right of access is one of the most requested by individuals. Failure to respond on time or provide incomplete responses exposes you to strong penalties. It's a GDPR key maturity indicator for any organization processing personal data.

How to comply with Article 15 of the GDPR?

Set one up internal procedure for managing access requests with designation of a referent (DPO or other).
Keep a record of requests received and responses provided.
Provide an answer in a period of one month, unless complexity is justified.
Prepare a response template with all the required information.

Examples of application of Article 15 of the GDPR

A health service customer requests access to their medical file: the establishment gives them a secure copy within 30 days.
An employee asks what HR data concerns him: the company provides a file including pay slips, evaluations and time records.
An online platform allows users to directly download their data from their account.