Right of access

Data subjects have the right to receive confirmation from the controller on whether or not the controller is processing personal data that concerns them. The data subjects thus have the opportunity to evaluate and ensure the legality of the processing.

If data concerning the data subject is being processed, the controller must provide the data subject with a copy of the personal data being processed. If the data subject makes the request electronically, the data must be provided in a commonly used electronic format unless otherwise requested by the data subject.

The data subject also has the right to be informed of

  • the purposes of processing
  • the categories of personal data being processed
  • the recipients or groups of recipients, especially international organisations or recipients located in third countries, to whom the personal data have been or will be disclosed
  • the safeguards employed if personal data is transferred to a third country or international organisation
  • the planned storage period of the personal data or, if providing this information is not possible, the criteria for defining the storage period
  • the data subject's right to request the rectification or erasure of personal data concerning him or her, the right to restriction of processing of the personal data, and the right to object to such processing
  • the right to lodge a complaint with a supervisory authority
  • if the personal data was not collected from the data subject, all available information on the origin of the data and
  • the possible use of automated decision-making (including profiling), and information relevant to the processing logic, the significance of the processing and its potential consequences for the data subject.

How quickly is the controller required to reply to the data subject’s request?

The controller must respond to the data subject without undue delay and not later than in one month from receiving the request. In the reply, the controller shall indicate the measures it has taken due to the request.

If the requests are numerous or complex, the controller can reply that it needs more time to process them. In such cases, the deadline can be extended by a maximum of two months. Justifications must be provided for the extension.

If the controller refuses the data subject's request, it must notify the data subject of this within one month of receiving the request. The refusal must be justified to the data subject. In addition, the controller must also inform the data subject of the possibility of lodging a complaint with the supervisory authority and the availability of judicial remedies.

Is it possible to charge a fee from the data subject?

As a rule, the exercise of rights is free of charge. However, the controller can charge a reasonable fee corresponding to the administrative costs of fulfilling the request if the data subject requests several copies of the data.

The controller is also entitled to charge a reasonable fee for fulfilling the request if the data subject’s request is manifestly unfounded or excessive. Alternatively, the controller can refuse the request.

Requests can be considered manifestly unfounded or excessive particularly if they are made repeatedly. The controller bears the burden of demonstrating the manifestly unfounded or excessive nature of the request.

The administrative costs of supplying the information or messages or carrying out the requested measure must be taken into account when determining the amount of possible fee.

Can the request be refused?

As a rule, the rights of the data subject must be fulfilled. A controller must have a legal basis for refusing the data subject’s request, and the data subject can then refer the matter to the Data Protection Ombudsman.

A controller can refuse the subject’s request in the following situations:

  • The right to obtain a copy of the data would have a detrimental effect on the rights and freedoms of others.
  • The data subject's requests are manifestly unfounded or excessive, particularly if they are made repeatedly. The controller bears the burden of demonstrating the manifestly unfounded or excessive nature of the request. Alternatively, the controller can charge a reasonable fee for fulfilling the request.

If the basis for refusal only applies to a part of the data, the data subject has the right to be informed of the remaining data concerning him or her.

If the controller refuses the data subject's request, it must notify the data subject of this within one month of receiving the request. The data subject must be informed of the reason for refusal, unless this would jeopardise the purpose of the refusal. In addition, the controller must also inform the data subject of the possibility of lodging a complaint with the supervisory authority and the availability of judicial remedies.

Confirming the identity of the data subject

The controller must be able to confirm the identity of the data subject exercising his or her data protection rights. If the controller has reasonable doubts concerning the identity of the person who made the request, it can request the provision of additional information necessary to confirm his or her identity.

The GDPR does not provide for the methods of confirming the data subject’s identity. Many controllers already have suitable procedures in place. For example, the controller may have verified the data subject's identity before entering into the agreement or obtaining consent for the processing. This personal data can then be used to confirm the data subject's identity also in connection with fulfilling the rights of the data subject.

If the controller requests additional information for confirming the data subject’s identity, this may not cause unreasonable demands or the collection of personal data that is not relevant or necessary.

If the controller is unable to identify the data subject, it must notify him or her of this if viable.

If the controller refuses the data subject’s request due to not being able to identify the data subject, it must demonstrate that it is unable to confirm the identity of the data subject.

If the data subject cannot be identified, he or she cannot exercise the right

  • of access to data
  • to rectification of data
  • to erasure of data
  • to restrict the processing of data or
  • to data portability.

The data subject can provide additional information for the purposes of identification, however.

When is confirming the data subject's identity not necessary?

Personal data may be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes of processing.

If the personal data that permit the identification of the data subject is not necessary for the purpose of processing, the GDPR does not obligate controllers to keep, obtain or process such additional data solely for the purpose of compliance with the GDPR.

Read more:

GDPR: Articles 12 and 15