GDPR compliance—data subject access rights
GDPR compliance—data subject access rights

The following Risk & Compliance guidance note provides comprehensive and up to date legal information covering:

  • GDPR compliance—data subject access rights
  • The right of access and other data subject rights
  • The right of access—what is it and when does it apply?
  • Information requirements
  • Key changes from pre-GDPR regime
  • Complying with access requests
  • Consequences of non-compliance with the GDPR
  • Right of access readiness checklist

The General Data Protection Regulation (GDPR), in force from 25 May 2018, provides for enhanced rights for data subjects in the EU, including providing rights of rectification, erasure and restriction of processing, data portability, a right to object to processing and a right not to be subject to a decision based solely on automated processing, including profiling, with strict time limits for complying.

Article 15 of the GDPR provides that the data subject has the right to obtain confirmation from the data controller as to whether or not personal data concerning them is being processed, and where it is, access to the personal data and certain further information—a right of access.

The right of access is very similar in the GDPR to previous legislation, with a handful of notable changes, see Key changes below.

This Practice Note explains the right of access by the data subject contained in the GDPR, and considers compliance strategies for businesses.

For detailed guidance on handling data subject requests, see:

  1. Practice Note: Handling data subject requests, and

  2. Flowcharts: Handling data subject requests—flowchart and Evaluating a data subject access request—flowchart

The right of access and other data subject rights

The right of access is part of a larger package of data subject rights, including:

  1. rectification, erasure and restriction of processing rights

  2. the right to data portability

  3. a right to