The right of access

You can ask a private or public body (the controller) subject to the RGPD whether it holds your personal data and obtain a copy of the processed data.

The organisation must explain how your data has been used.

In particular, this right allows you to check whether your data is correct.

  • You buy a product on the internet and would like to know what personal data has been kept by the retailer.
  • You want to know the contents of your medical file.
  • You want to know what personal data a social network holds about you.
  • You want to know what personal data is stored on your supermarket loyalty card.
  • You want to know the contents of your professional file with your employer.
  • You would like to know what personal data a public authority holds about you.
What type of information can you request?
1. The confirmation that your personal data is processed with the following information:
  • the types (categories) of data processed (for example: identity such as surname or first name, connection data such as IP address, banking data such as IBAN number, etc.),
  • the reasons (purposes) for processing your data and an explanation of the lawful basis that authorises the organisation to process it,
  • how long your data will be kept,
  • the organisations (recipients) with whom your data has been or will be shared. The organisation must provide the names of the recipient organisations unless this is impossible,
  • explanations of how to exercise your other rights (rectification, erasure, restriction, objection), including the right to lodge a complaint with the CNPD,
  • where your data comes from (data source) if it has not been collected directly from you (indirect data collection),
  • if applicable, explanations of decisions taken on the basis of automated processes or profiling,
  • if applicable, information on the transfer of your data to a country outside the European Union.
2. Access to your personal data, which means a copy of your data

In principle, you have the right to request a copy of your data free of charge, regardless of the medium on which it is stored (paper, digital). This will enable you to check the accuracy of your data.

In principle, the copy must contain all the information requested and be issued on a durable medium, i.e. one that you can easily refer to at a later date.

However, this right must not infringe the rights of any third party, whether natural or legal.

The processing of personal data in criminal and national security matters

You also have a right of access to the processing of personal data by the Police, the State Intelligence Service, the National Security Authority, the Army, the Financial Intelligence Unit and the Customs and Excise Administration.

You can ask for the following information:

  • the purposes of the processing and its legal basis;
  • the types (categories) of personal data concerned;
  • the recipients or categories of recipient to whom the personal data has been disclosed, in particular recipients established in third countries or international organisations;
  • where possible, the period for which the personal data is to be kept or, where this is not possible, the criteria used to determine this period;
  • the existence of the right to request from the controller the rectification or erasure of personal data, or the restriction of the processing of personal data;
  • the right to lodge a complaint with one of the two competent supervisory authorities and the contact details of that authority;
  • communication of personal data being processed, together with any available information as to its source.

The modalities of this right of access are regulated by Articles 13 and 14 of the Act of 1 August 2018 on the protection of individuals with regard to the processing of personal data in criminal and national security matters.

The limits of the right of access
  •  in the case of information concerning a third party (e.g. a colleague): only your data may be communicated under the right of access. Similarly, if the right to obtain a copy of the documents affects a third party, a partial extract could, for example, be communicated,
  • in the case of information infringing intellectual property rights,
  • in the case of information infringing business secrecy or the confidentiality of correspondence,
  • in the context of processing for scientific or historical research or statistical purposes, if this is not possible (in the event of an obstacle to the achievement of the specific purposes),
  • in the event of unfounded or excessive requests (which it is up to the organisation to demonstrate).

Restrictions are possible on the above-mentioned grounds, but these cases should not systematically result in a general refusal to grant your request. It is up to the data controller to reconcile conflicting rights as far as possible and to provide appropriate solutions, such as anonymising third-party data.

Processing of personal data in criminal matters and in matters of national security

The data controller may restrict, in whole or in part, the right of access in order to:

  1. avoid hindering official or judicial investigations, enquiries or proceedings ;
  2. avoid hindering the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties; or
  3. to protect public security ;
  4. protect national security and defence; or
  5. protect the rights and freedoms of others.
How can you exercise your right of access and what procedure to expect?
  • Target the responsible organisation and the means of contacting it (information available on the organisation's website or in a document entitled: ‘information notice on data protection’, ‘confidentiality policy’, ‘privacy policy’, ‘legal notice’, etc.). Some organisations also offer direct access to your data on a secure digital space via a ‘my data’ or ‘dashboard’ section.
  • Use your right of access:
    • Requests should preferably be made in writing (letter, e-mail or via an access request form on the organisation's website).
    • If you wish, you can use the CNPD model letter (data processing subject to the RGPD) to assert your right of access to the data controller.
    • In the case of processing of personal data relating to criminal matters or national security, please use the model letter for processing of data relating to criminal matters and national security.
  • You can already specify, if you wish, the type of data to which you are requesting access. If necessary, the data controller may ask you to specify the data when, for example, it processes a large amount of data about you.
  • Potential verification of your identity: if, and only if, the organisation has reasonable doubts about your identity or needs to verify your identity, it may ask you to attach any document that proves your identity. If you use an already known means of identification such as an e-mail address or customer/member number, this should be sufficient for the organisation.
  • The organisation searches for your data in its digital database(s) and paper files.
  • Sending the information requested by the organisation. When you exercise your right electronically, the information is provided electronically unless you have requested otherwise. The information must be sent to you in clear and simple terms and in a commonly used form.
How much time does the controller have to answer your request?

Within a maximum of 1 month from receipt of the request :

  • either by acting on your request,
  •  or by informing you that they are unable to comply with your request and that you may lodge a complaint with the CNPD or take legal action,
  • or, in the case of a complex request (for example: for a copy of all your data or for an organisation managing a large amount of data), by informing you of the extension of the initial deadline (by a maximum of two additional months) and the reasons for it.

Processing of personal data in criminal matters and in matters of national security

The data controller must respond to you as soon as possible.

If the organisation does not meet these deadlines or if you are not satisfied with its response and you decide to refer the matter to the CNPD, you can submit a complaint via our online form, taking care to attach supporting documents for your previous actions.

Do you have to pay any fees?

In principle, no payment may be required to provide you with the information requested, unless your requests are manifestly unfounded or excessive, in particular due to their repetitive nature. In this case, the data controller may either demand payment of a reasonable fee which takes account of the administrative costs incurred in providing the information or refuse to comply with your requests. Furthermore, if you request an additional copy of your personal data, the data controller may in some cases require payment of a reasonable fee based on administrative costs.

The data controller must explain to you why payment is required.

Dernière mise à jour