The right of access (known as subject access) is a fundamental right of the General Data Protection Regulation (GDPR). It allows individuals to find out what personal data is held about them and to obtain a copy of that data.
Following on from the initial GDPR guidance on this right (published in April 2018), the ICO has now drafted more detailed guidance that explains in greater detail the rights that individuals have to access their personal data and the obligations on controllers. The draft guidance also explores the special rules involving certain categories of personal data, how to deal with requests involving the personal data of others, and the exemptions that are most likely to apply in practice when handling a request.
As the guidance explains, individuals have the right to obtain the following from a controller:
- Confirmation that you are processing their personal data;
- A copy of their personal data; and
- Other supplementary information.
Individuals also have the right to receive the following information (which largely corresponds with the information that you should provide in a privacy notice):
- Your purposes for processing;
- Categories of personal data you’re processing;
- Recipients or categories of recipient you have or will be disclosing the personal data to (including recipients or categories of recipients in third countries or international organisations);
- Your retention period for storing the personal data or, where this is not possible, the criteria for determining how long you will store it;
- The individual’s right to request rectification, erasure or restriction or to object to processing;
- The individual’s right to lodge a complaint with the Information Commissioner’s Office (ICO) or another supervisory authority;
- Information about the source of the data, if it was not obtained directly from the individual;
- The existence of automated decision-making (including profiling) and information about the logic involved, as well as the significance and envisaged consequences of the processing for the individual; and
- The safeguards you have provided where personal data has or will be transferred to a third country or international organisation.
Under the right of access, an individual is only entitled to their own personal data.
ICO is running a consultation on the draft guidance to gather the views of stakeholders and the public, which closes on 20 February.
You can respond to this consultation via the online survey or you can download the document and email it to: SARguidance@ico.org.uk