Right of access to personal data

All individuals have the right to consult their personal data held by any organization, whether public or private.

What are the steps involved in responding to an access request?
And what are the deadlines?

Since it came into force in May 2018, the GDPR has strengthened the Data Protection Act, which allows anyone to access their personal data. Indeed, all individuals have the right to access their personal data, in order to exercise their right to rectification as well as their right to erasure. You can exercise your right of access with a company of which you are a client, with your employer, or with your doctor to obtain data from your medical file.

What is the right of access?

A right of access is the right to know whether your data is being processed, and to have it communicated to you in a comprehensible format. The right of access therefore enables you to find out what personal data administrations and private companies hold about you. You therefore have the right to access all personal data concerning you, regardless of the organization holding it.

You can exercise your right of access directly or indirectly:

The right of direct access 

In most cases, you can access your information directly from the organizations that hold it;

At your request, the controller must provide you with a copy of all the information it holds on you, identifying, of course, its sources.

It should be noted that article 12.5 provides for a principle of free access.

Indirect right of access 

In some cases, you may be able to access your personal data, but only indirectly: for public files, you need to contact the CNIL (National Commission for Information Technology and Civil Liberties), in what is known as the indirect right of access;

In other cases, asking the CNIL (National Commission for Information Technology and Civil Liberties) to intervene is no longer necessary since August 3, 2018. In other words, you have a right of access and rectification to the TAJ ((Traitement des antécédents judiciaires), SIS (Système d'information Schengen) and FPR (Fichier des personnes recherchées) files.

The four steps to follow when responding to a right of access request

As already mentioned, every individual has the right not only to request access to information on the processing of personal data concerning him or her, but also to obtain a copy of such data.

Check the identity of the person making the request

To accept an access request, you must first be sure of the identity of the person making the request. You must therefore verify his or her identity, and ask him or her for supporting documents, which we'll talk about a little later.

Ask which processing operation the request relates to

With regard to this point, it should be emphasized that some requests may concern all the data, which are processed by the organization, from which the Data subject requests a right of access. In the event that the request concerns a large quantity of data, Article 63 of the GDPR requires the Data subject to specify which processing operations the request relates to. However, you are obliged to get back to her within one month.

Make sure the request does not concern a third party

It goes without saying that when applying the right of access, you must not overlook the rights of third parties. In other words, you can't ask for information about a colleague at work, or data about your spouse.

The same applies to access rights, which may infringe business secrets or intellectual property rights: copyright protecting software, for example.

The Data subject will still be able to obtain the information it is looking for, but this will lead to the identity of third parties being masked, or at least to information that enables them to be identified.

Meeting demand and deadlines

There are two different cases here: the Data subject can request either information about herself, or a copy of her data.

Articles 13 and 14 of the GDPR, have provided for the information that you, as data controller, must communicate to the Data subject. This is information that appears on any collection media you use.

On the other hand, whether the information is recorded on paper or electronically, on video or sound, you are obliged to disclose it if the Data subject asks for a copy. In other words, no matter what medium you use to store the data, this will in no way render it non-disclosable. And don't forget to take into account the rights of third parties, as already mentioned.

Can I refuse to respond to a request for access?

It's true that, as soon as you process personal data, you are obliged to provide it, at the request of the Data subject. However, in certain cases, you may refuse to respond to a request for access, provided that your decision is justified.

In fact, the CNIL (National Commission for Information Technology and Civil Liberties) has identified two cases in which you may not reply:

• If your request for access is excessive because of its repetitive nature. Example: requests as numerous as they are varied, and close in time to a copy already supplied;
• If the requested information has been deleted. The data controller will not be able to consult it, and access will therefore be impossible.

Example: video surveillance recordings must be deleted after a maximum of 30 days.

Please note: A request for access to information already held by the Data subject is never considered excessive. The time between each request must therefore be taken into consideration.

In addition, if you do not comply with a request for access, you must justify your decision. In addition, you must inform the Data subject of the manner and deadline to be respected, in case he or she wishes to appeal against your decision.

However, as far as the Data subject is concerned, you should be aware that exercising her right of access is unconditional. In other words, unlike your decision, which must be justified, the Data subject 's decision does not have to be justified in any way. 

The one and only condition to be taken into account is respect for the rights of third parties.

What supporting documents do I need to request access?

One of the four steps involved in responding to a right of access request is verifying the identity of the requester. However, there is a principle to the GDPR that states: 

"No identification, except in case of reasonable doubt.. "

As a data controller, in order to comply with the access requests you receive, you need to ascertain the identity of the requesters, while of course respecting the rights of third parties. In general, this is information that could be justified by any means. It is not necessary for the applicant to enclose a photocopy of his or her identity card, as long as the information provided is sufficient to identify him or her.

Moreover, as long as the Data subject has authenticated him/herself in a digital environment, this may be sufficient to exercise his/her right of access (e.g. FranceConnect).

On the other hand, the GDPR principle has provided for a " case of reasonable doubt " in which, you can ask the access requester to attach an additional document that proves his identity. This document can therefore be an identity document.

From the above, as data controller, you need to define the nature of the request and the context in which it was made, not forgetting the sensitivity of the information requested. This will enable you to define the level of verification required.

⚠️ How long does it take to respond to a request for access?

To answer the question of respect for the right of access, the CNIL (National Commission for Information Technology and Civil Liberties) has laid down a three-point principle for three different situations:

• 1 month maximum for a simple request ;
• 3 months maximum for a complex request (e.g. if a person requests a copy of all their data);
• 8 days maximum for health data.

Whatever the situation, you are required to inform the applicant of the outcome within a maximum of one month.

The right to rectification and the right to erasure: what is it?

As its name suggests, the right of rectification allows you to modify information concerning the person requesting access, with a view to correcting or supplementing it if necessary. As the data controller, you must inform the other data recipients that rectifications have been made, unless this would require excessive effort.

Examples of situations in which the Data subject has the right to ask for information to be rectified:

• The Data subject could exercise her right of rectification with her former employer, if ever there had been data that should no longer appear in her files;
• A social network blocks an account because it thinks the user is underage;

Generally speaking, you can request your right to rectification if any information in your file is incorrect. In other words, the wrong information on a form can lead a company to make a calculation that could be prejudicial to you.

The right to erasure, on the other hand, enables any individual to ask an organization holding personal data about him or her to delete it. In this case, personal data may be an embarrassing photo, or at least information that the Data subject considers unnecessary. The data subject has the right to request its deletion in one or more of the following situations:

• its data is used for prospecting purposes;
• the data are no longer necessary for the purposes for which they were originally collected or processed;
• the applicant has withdrawn his consent to the use of his data;
• its data is processed unlawfully ;
• the data was collected when the applicant was a minor;
• data must be deleted to comply with a legal obligation;
• the Data subject has objected to the processing of his/her data, and the data controller has no legitimate or compelling reason not to comply with this request (the decision must be substantiated, as already mentioned).