You can exercise your right of access by contacting the controller directly and ask to obtain the personal data he concerning you and certain additional information.
- You buy a product on the Internet and want to know what information has been stored by the online store.
- Your car has been scratched during your absence while you were parked in a parking under videosurveillance and you would like to consult the images relating to the location of your car.
- You want to know what information a social network has about you
- You want to know what personal data your supermarket has about you.
What type of information can you request?
First of all, you can obtain from the controller the confirmation whether or not personal data concerning you are being processed by the company or organization you are addressing.
Where it is the case, you can request a copy of the personal data processed. You can also request the following information:
- the purposes of the processing;
- the categories of personal data concerned;
- the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations;
- where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
- the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
- the right to lodge a complaint with a supervisory authority;
- where the personal data are not collected from the data subject, any available information as to their source;
- the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
Finally, where personal data are transferred to a third country or to an international organization, the data subject shall have the right to be informed of the appropriate safeguards provided by Article 46 relating to the transfer.
How can you exercise your right of access?
By contacting the controller directly, preferably in writing or electronically.
If you wish, you can use the sample letter of the CNPD to exercise your right of access.
The data controller is defined by the GDPR as “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”
The controller may ask you additional information necessary to confirm your identity, if he has reasonable doubts about it.
How should the information be provided to you?
The confirmation that personal data concerning you are or are not being processed, and the eventual additional elements of information, must be communicated by written or by other means, including, where appropriate by electronic means.
When you exercise your right of access in electronic form, the information shall be provided electronically whenever possible, unless you have requested otherwise.
The information must be communicated to you in a concise, transparent, understandable and easily accessible manner, with clear and simple terms.
How much time does the controller have to answer your request?
The confirmation that personal data concerning you are or are not processed, as well as any additional information, must be sent to you as soon as possible, within one month after the reception of the request.
If necessary, this period may be extended to two months, taking into account the complexity and the number of applications. In this case, the controller must inform you about this delay within one month after the reception of the request.
Do you have to pay any fees?
Information shall be provided free of charge. If your request are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either charge a reasonable fee taking into account the administrative costs of providing the information or refuse to act on the request.
Furthermore, if you request any further copies, the controller may charge a reasonable fee based on administrative costs for each additional copy.