Right of access
Data subjects have the right to receive confirmation from the controller on whether or not the controller is processing personal data that concerns them. The data subjects thus have the opportunity to evaluate and ensure the legality of the processing.
If data concerning the data subject is being processed, the controller must provide the data subject with a copy of the personal data being processed. If the data subject makes the request electronically, the data must be provided in a commonly used electronic format unless otherwise requested by the data subject.
The data subject also has the right to be informed of
- the purposes of processing
- the categories of personal data being processed
- the recipients or groups of recipients, especially international organisations or recipients located in third countries, to whom the personal data have been or will be disclosed
- the safeguards employed if personal data is transferred to a third country or international organisation
- the planned storage period of the personal data or, if providing this information is not possible, the criteria for defining the storage period
- the data subject's right to request the rectification or erasure of personal data concerning him or her, the right to restriction of processing of the personal data, and the right to object to such processing
- the right to lodge a complaint with a supervisory authority
- if the personal data was not collected from the data subject, all available information on the origin of the data and
- the possible use of automated decision-making (including profiling), and information relevant to the processing logic, the significance of the processing and its potential consequences for the data subject.
The person must be informed of the processing of his or her personal data. Therefore, where necessary, the controller must compile the information provided to the data subject on a case-by-case basis. A mere reference to the privacy statement is not sufficient in all cases.
For example, the data subject must be given precise information on the purposes of the processing of his or her personal data and recipients or categories of recipients of his or her personal data. At the request of the data subject, the controller shall name the actual recipients of the data, unless it is impossible to identify the recipients.
How quickly is the controller required to reply to the data subject’s request?
The controller must respond to the data subject without undue delay and not later than in one month from receiving the request. In the reply, the controller shall indicate the measures it has taken due to the request.
If the requests are numerous or complex, the controller can reply that it needs more time to process them. In such cases, the deadline can be extended by a maximum of two months. Justifications must be provided for the extension.
If the controller refuses the data subject's request, it must notify the data subject of this within one month of receiving the request. The refusal must be justified to the data subject. In addition, the controller must also inform the data subject of the possibility of lodging a complaint with the supervisory authority and the availability of judicial remedies.
Can the request be refused?
As a rule, the rights of the data subject must be fulfilled. The data subject’s right to access his or her data may only be restricted for legal reasons.
A controller must have a legal basis for refusing the data subject’s request. Article 12 and Article 15(4) of the EU’s General Data Protection Regulation and Sections 31 and 34 of the Data Protection Act provide for the grounds for refusal. The data subject can then refer the matter to the Data Protection Ombudsman.
A controller can refuse the subject’s request in the following situations:
- The right to obtain a copy of the data would have a detrimental effect on the rights and freedoms of others.
- The data subject's requests are manifestly unfounded or excessive, particularly if they are made repeatedly
- The controller bears the burden of demonstrating the manifestly unfounded or excessive nature of the request.
- Alternatively, the controller can charge a reasonable fee for fulfilling the request.
- Providing access to the data could harm national security, defence or public order and security or hamper the prevention or investigation of criminal offences.
- Providing access to the data could cause serious danger to the data subject's health or care or to the rights of the data subject or another person.
- Personal data are used in carrying out supervisory or inspection duties, and not providing access to the data is indispensable in order to safeguard an important economic or financing interest of Finland or the European Union.
In addition, it is possible to derogate from the right to access data under certain conditions in connection with carrying out scientific or historical research or preparing statistics.
If the basis for refusal only applies to a part of the data, the data subject has the right to be informed of the remaining data concerning him or her.
If the controller refuses the data subject's request, it must notify the data subject of this within one month of receiving the request. The data subject must be informed of the reason for refusal, unless this would jeopardise the purpose of the refusal. In addition, the controller must also inform the data subject of the possibility of lodging a complaint with the supervisory authority and the availability of judicial remedies.
If the fulfilment of the right is refused, the requested data must be disclosed to the Data Protection Ombudsman upon the data subject's request.
This right may also be limited, for example, by the fact that it would harm the rights and freedoms of other people.
Where the information provided to the data subject also includes information concerning other persons, the controller shall weigh whether the provision of the information may jeopardise their rights and freedoms. However, the controller cannot automatically refuse to provide the data to the data subject solely because the data also contain information concerning other people. In other words, the controller must make case-by-case consideration in the situation.
The controller shall take appropriate steps to ensure that the data subject’s right of access to his or her data is implemented as fully as possible. This may mean, for example, hiding other people’s personal data, such as hiding other people from video recordings.
How should the data subject make a request for access?
The GDPR does not contain any formal requirements for requests for access to data. It does not prohibit the request from being made orally either.
Controllers should provide as appropriate and user-friendly contact channels as possible for requests.
They cannot require that only a specific contact channel, such as a form, is used to submit the requests. As a rule, the controller cannot refuse to process the request even if it has been made through a channel other than the primary contact channel. In this case, the controller must assess whether the data subject’s identity needs to be confirmed, for example, with additional questions. The controller can refuse to process the request only if the identity of the person making the request cannot be established despite attempts.
People usually exercise the right of access to their own data themselves, but it is possible for a third party to make a request on behalf of the data subject. For example, a guardian or other legal representative can usually make a request on behalf of minors, or the data subject can authorise another person to act on his or her behalf. In certain situations, a trustee may also have the right to submit a request on behalf of the data subject.
The controller shall ensure that a person acting on behalf of the data subject has the right to make a request on his or her behalf. For example, in the case of minors, it must be ascertained whether the person making the request is the legal representative of the child or has another right to access the information. For example, a child may prohibit the disclosure of information to a guardian if he or she is sufficiently mature to make such a decision. In such situations, the child’s ability to make decisions concerning him- or herself must be assessed and the child’s rights and interests must be taken into account.
A storage period must be specified for all personal data in the controller’s possession. Requests concerning the data subject’s rights include personal data concerning them, such as their name, contact details or personal identity code. In certain sectors, such as social welfare and health care, the data subject’s request may contain special personal data or confidential information, such as health data. Therefore, it is also necessary to specify the storage period for requests for access and the related message exchange.
The personal data shall be kept in a format that enables the data subject to be identified for no longer than is necessary for the purposes of the processing. Only personal data necessary for the processing must be processed. These requirements must also be taken into account when determining the storage period of data. When determining the storage period, the secure processing of data must also be taken into account.
It is also necessary to assess for how long a request for access and the related message exchange is justified to be stored. This may be influenced by the controller’s sector and the obligations arising from legislation.
In what format should the information be provided to the data subject?
The data subject has the right to access all personal data concerning him or her regardless of the form of the data. As a rule, data subjects also have the right to access information in a non-text format, such as radiographs or magnetic images from health care or call or surveillance camera recordings.
The data shall be provided in a generally available format and shall correspond to the data actually processed by the controller regarding the data subject.
The data subject has the right to receive a copy of the information concerning him or her so that he or she can return to the information he or she has received afterwards. This means that the possibility of viewing or listening to a recording at the controller’s office cannot be the only way of implementing the right of access.
Is it possible to charge a fee from the data subject?
As a rule, the exercise of rights is free of charge. However, the controller can charge a reasonable fee corresponding to the administrative costs of fulfilling the request if the data subject requests several copies of the data.
The controller is also entitled to charge a reasonable fee for fulfilling the request if the data subject’s request is manifestly unfounded or excessive. Alternatively, the controller can refuse the request.
Requests can be considered manifestly unfounded or excessive particularly if they are made repeatedly. The controller bears the burden of demonstrating the manifestly unfounded or excessive nature of the request.
The administrative costs of supplying the information or messages or carrying out the requested measure must be taken into account when determining the amount of possible fee.
The data subject has the right to request access to the same information free of charge at reasonable intervals. However, a fee may be charged for repeated requests for the same information.
Whether the request has been made at reasonable intervals or whether the requests are considered to be repeated must always be assessed on a case-by-case basis. It is essential to understand whether this is a new request or whether the data subject requests additional copies of the same information that they have received within a short period of time.
When assessing the frequency of requests, it is a good idea to take into account, for example, how often the data subject’s data changes. The more frequently the data change, the more often the data subject has the right to request the data without it being considered unreasonable.
In addition, it should be taken into account whether the data subject has provided arguments based on which the request cannot be considered to be repeated or unfounded. For example, the data subject may present a justified reason why he or she no longer has access to previously received information.
When the previous Personal Data Act was in force, the data subject had the right to receive the data once a year free of charge. There is no longer a one-year time limit for charges during the GDPR, and the controller must assess reasonable intervals for requests on a case-by-case basis.
Confirming the identity of the data subject
The controller must be able to confirm the identity of the data subject exercising his or her data protection rights. If the controller has reasonable doubts concerning the identity of the person who made the request, it can request the provision of additional information necessary to confirm his or her identity.
The GDPR does not contain provisions on how the data subject’s identity must be confirmed. The principle of data minimisation must be followed in the confirmation of identity, and as a rule, no more data may be collected for the purpose of confirming identity than the controller already has in its possession.
If the controller is unable to identify the data subject, it must notify him or her of this if viable.
If the controller refuses the data subject’s request due to not being able to identify the data subject, it must demonstrate that it is unable to confirm the identity of the data subject.
If the data subject cannot be identified, he or she cannot exercise the right
- of access to dataaada tutustua tietoihin
- to rectification of data
- to erasure of data
- to restrict the processing of data or
- to data portability.
Appropriate procedures for verifying identity often already exist in the organisation. The controller may have verified the identity of the data subject, for example, before concluding the contract or requesting consent for the processing of personal data. In this case, the identity can be confirmed by comparing the data of the person who made the request with data already in the controller’s possession regarding the data subject. The request for additional information shall not lead to the collection of irrelevant or unnecessary personal data.
The controller is obliged to facilitate the exercise of the data subject’s rights. Confirmation of identity must not lead to difficulties in the exercise of rights. For example, the controller cannot, as a rule, demand that a request be made on site at the controller’s office. The use of identity cards to verify identity must be carefully considered. Primarily, the identity should be confirmed by other means.
The methods of confirming identity must also take into account the different situations of the data subjects: for example, the possibilities of older people or persons in a vulnerable position to visit an organisation’s office or use electronic systems may be limited. Children also have the right to access information concerning them, but they may not have the tools needed for electronic identification. In other words, the controller must assess how it is able to take different people into account and implement their rights as comprehensively as possible.
When is confirming the data subject's identity not necessary?
Personal data may be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes of processing.
If the personal data that permit the identification of the data subject is not necessary for the purpose of processing, the GDPR does not obligate controllers to keep, obtain or process such additional data solely for the purpose of compliance with the GDPR.