Key References:

History and key elements of Art. 15 Right of Access:

  • Commonly known as SAR (Subject Access Right), DSAR (Data Subject Access Right), this is a constitutional right:
    • Art. 8(2) of the EU Charter states, “Everyone has the right of access to data which has been collected concerning him or her”.
    • Data Protection Directive of 1995 (Directive 95/46/EC) codified the right to access personal data in Art. 41.
  • The GDPR has codified data subject access rights in Art. 15 and increased obligations on controllers.
  • GDPR Art. 15 SARs include:
    • the right to know whether personal data is being processed (significant when controller acquires individual data from third parties),
    • the right to request access to a copy of one’s personal data,
    • the right to supplemental information such as purpose of collection, legal basis for processing, use, disclosure, source, storage, and erasure of data, and transfer of data to third countries.
  • Time: Controllers are required to fulfill DSAR requests within one month of receipt of the request. Art. 12(3) states that controllers may extend by further two months if necessary, taking into account the “complexity and number of the requests“. However, controllers are required to inform data subjects of the delay along with reasons for the delay.
  • Cost: Pursuant to Art. 12(5), controllers are typically required to fulfil DSARs free of charge. However, in limited scenarios where the request is “manifestly unfounded or excessive, in particular because of their repetitive character“, Art. 12(5)(a) permits controller to charge a “reasonable fee” for fulfilling DSARs taking into account the administrative costs.
  • Format:
    • Individuals can make DSAR requests verbally, in writing, or via social media. (See, UK ICO on right of access).
    • Controllers must provide DSAR copies electronically when requests are made by electronic means unless data subject explicitly requests otherwise.
    • Recital 63 recommends that controllers fulfill DSARs in a secure manner.
  • Limitations on DSAR:
    • Refusal: Controllers are required to provide data subjects’ access to their data. However, Art. 12(5)(b) states that in limited circumstances where the request is “manifestly unfounded or excessive, in particular because of their repetitive character“, a controller may “refuse to act on the request“. Note that Art. 12(5) further states that the controller shall bear the burden of demonstrating the manifestly unfounded or excessive nature of the request.
    • Competing interests: Recital 63 permits controllers to redact information of third parties including protected information such as copyright or trade secrets when fulfilling DSARs.
  • DPC Guidance (additional reading):