In short, right of access means data controllers are required to provide data subjects a copy of their processed personal data upon request.
Article 12 introduces the concept (all emphasis added unless otherwise stated):
The controller shall take appropriate measures to provide any information […] relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child.
What Shall Be Provided
Article 15 outlines the right of access in greater detail. First and foremost, data subjects have the right to confirm if controllers in fact process their personal data. Should the answer be yes, subjects may then request the following:
- A copy of the personal data undergoing processing
- Purpose of processing
- In particular, if automated decision-making or profiling takes place, and if so, the logic involved, significance and likely consequences of such processing
- Categories of data processed (e.g., name, address, online browsing behavior)
- Any third party recipients of this personal data, both backward or forward looking, especially recipients in third countries (i.e. countries outside of the EU)
- What safeguards are in place to protect the data being transferred
- Any third party sources of data subject’s personal data (i.e. not collected from the data subject directly, for instance by purchasing said data from another source that previously collected the data directly)
- How long such personal data would be stored, or if that’s not determinable, how the length of this period would be determined
- The existence of the rights to:
- Restriction of processing
- Objection to processing
- Complain to a supervisory authority
Article 15(3) outlines the following requirements:
- Free copy: The first request for a copy of processed personal data shall be free
- Subsequent copies: Further requests may be charged “a reasonable fee”
- Electronic copies: Unless otherwise requested by the data subject, electronic requests for data copy shall be provided in commonly used electronic form (we expect formats such as .csv and .txt would be most prevalent)
Article 11 relaxation for non-identifying processing
According to Article 11, if data controllers process personal data for purposes that do not require the identification of a data subject, then they shall not need to process additional information solely to comply with the GDPR, provided that the controller can “demonstrate that it is not in a position to identify the data subject”. A data subject may override this relaxation by providing to the data controller additional information that can enable his or her identification.
To illustrate what this means, consider a controller that offers a free computer plug-in that checks user writing for grammar errors. The plug-in works across multiple apps and offers a feature that highlights repeat offenses to help the user fix the error. To do this, the data controller must process personal data such as device name, app name, date & time of writing, and writing content, though it does not process this data additionally to identify the data subject.
The controller then receives a request from a data subject for a copy of all personal data processed on her. The controller is unable to do so, however, because the personal data it has processed is insufficient to distinguish the said data subject from other users. The controller may then inform the data subject that it will not be fulfilling the request.
This relaxation should therefore be viewed as a safe harbor for cases where processed data are non-identifying in both purpose and effect. It should not be interpreted as a broad exemption for controllers to bypass consent and other requirements.