Right of access definition
The right of access, under the General Data Protection Regulation (GDPR), means that people can ask organizations if their personal data is being processed. It also grants the right to get a copy of the data and know why and how it’s being processed.
The right of access applies to any entity dealing with the data of European Union (EU) residents, even if the organization itself is not in the EU.
How the right of access applies
- Request for information. People can use their right to access by getting in touch with the organization that collects their data. Typically, they can do it by sending a formal request, often called a ‘data subject access request’ or ‘DSAR.’ They should be ready to provide proof of their identity to make sure that the data is disclosed only to the rightful owner.
- Information accessible. An individual has the right to receive information about:
- Whether their personal data is being processed
- The purposes for which their data is being processed
- The categories of personal data being processed
- Recipients to whom their data has been or will be disclosed
- The data retention period
- Their other rights under the GDPR, such as the right to rectification or erasure
- Response time. The GDPR mandates that organizations respond within one month of receiving the request. In certain cases, they can extend this period but should inform the data owner of any such extension and the reasons for it.
- No cost for basic requests. Organizations usually cannot charge people for making basic access requests. However, if a request is excessive or repetitive, they may charge a reasonable fee.