This is part five of a five-week series discussing General Data Protection Regulation (GDPR) and its implications for U.S. businesses and organizations.

One of the tantamount concepts under the General Data Protection Regulation (“GDPR”) is the right of individuals to have access to their personal data that has been collected and processed by data controllers. This empowers individuals with the ability to find out if their data has been collected and then verify the legality of the data collection and processing. As outlined in Article 15 of the GDPR, individuals are specifically entitled to access information from data controllers about:

  • The purposes of the data processing;
  • The categories of personal data involved;
  • The people or entities to whom the data has been or will be disclosed;
  • The period of time during which the personal data will be stored;
  • The right to lodge a complaint regarding use of the data; and
  • The source of the personal data.

By granting individuals the right to access the foregoing information, the GDPR sets a new and higher bar for data transparency as compared to prior laws in the European Union and privacy laws in the United States. Therefore, an entity deemed a data controller under the GDPR should be aware of how to appropriately and promptly respond to requesting individuals, as outlined below.

No Charge to the Requestor. Article 12 of GDPR requires that data processors provide a copy of the information referenced above to a requesting individual at no charge. However, data controllers are not left high and dry to deal with repetitive requests for the same information. Rather, the GDPR gives data controllers options when the individual’s request is manifestly unfounded or excessive, particularly because of the repetitive nature of the requests. In those cases, the data controller may charge a reasonable fee based only on the administrative cost of providing the requested information or refuse to act on the request. Notably, the data controller has the burden of proving that the request is in fact unfounded or excessive to avail itself of these options and must provide a detailed explanation to the requestor of its determination.

Response Due within One Month. Article 12 of the GDPR also provides that data controllers must provide the requested information to individuals without undue delay and, in any event, within one month of receipt of the request. This time period can be extended by two additional months when necessary, taking into account the complexity and number of the requests. However, the data controller must inform the requestor of any such extension within one month of receipt of the request, together with the reasons for the delay.

Manner of Providing the Information. Article 20 of the GDPR specifies the manner in which the information must be provided to the requesting individual, which is commonly referred to as the “data portability” aspect of the GDPR. Particularly, if the request for data information is made electronically, the information must be provided to the requestor electronically in a commonly used, machine-readable format. This is designed to enable the requestor to more easily transfer the data to a different data controller without hindrance from the original controller. The requestor also has the right to ask that the data be transmitted directly from one controller to another where technically feasible. Data controllers are encouraged to provide remote access to a secure system that will provide the requestor with direct access to his or her personal data when possible.

Cooperation Among Joint Data Controllers. Article 26 of the GDPR requires that data controllers who outsource data processing or process data jointly with other controllers have contractual agreements among all the controllers involved so they can appropriately and timely respond to personal data requests from individuals, as outlined above. The joint controllers must operate in a manner that is transparent to the requestor and determine their respective responsibilities relative to complying with data request. Joint controllers may contractually designate one contact point for requesting individuals.

Entities based in the United States who are deemed data controllers under the GDPR should establish protocols that will enable prompt and full compliance with data requests, as outlined above.