GDPR compliance—data subject access rights
GDPR compliance—data subject access rights

The following Risk & Compliance guidance note provides comprehensive and up to date legal information covering:

  • GDPR compliance—data subject access rights
  • The right of access and other data subject rights
  • The right of access—what is it and when does it apply?
  • Information requirements
  • Key changes from pre-GDPR regime
  • Complying with access requests
  • Consequences of non-compliance with the GDPR
  • Right of access readiness checklist

Brexit: As of exit day (31 January 2020), the UK is no longer an EU Member State, but it has entered an implementation period during which it continues to be treated by the EU as a Member State for many purposes. The UK must continue to adhere to its obligations under EU law, including in relation to data protection, and the ICO has confirmed the GDPR will continue to apply during the implementation period. For more information, see: Practice Note: Brexit—implications for data protection.

The General Data Protection Regulation (GDPR), in force from 25 May 2018, provides for enhanced rights for data subjects in the EU, including providing rights of rectification, erasure and restriction of processing, data portability, a right to object to processing and a right not to be subject to a decision based solely on automated processing, including profiling, with strict time limits for complying.

Article 15 of the GDPR provides that the data subject has the right to obtain confirmation from the data controller as to whether or not personal data concerning them is being processed, and where it is, access to the personal data and certain further information—a right of access.

The right of access is very similar in the GDPR to previous legislation, with a handful of notable changes, see Key changes below.

This Practice Note explains the right of