Article 15 GDPR Right of access by the data subject

Article 15 of the General Data Protection Regulation (GDPR) empowers the data subject to exercise their right to know the information their employers hold about them. Are your employees (current/former) asking you to produce the information you have about them? Should you consider oral requests, What’s the TAT for response time and what are the instances that could lead to non-compliance?

 If you are undergoing GDPR compliance for the first time, this is super important. And for those who are already compliant and are looking to improve your compliance posture, this is for you too.

Here, we dive deep into the fundamentals of EU GDPR’s Article 15 codes of conduct to help you understand how you could undertake activities processing of personal data efficiently. We will also highlight the things to keep in mind to ensure that you are processing personal data as advised by supervisory authorities.

Who can assert the Right to Information under Article 15 of GDPR?

Every employee working with your organization or who has been an employee is entitled to Article 15 of the GDPR. Article 15 also covers contract employees and independent consultants.

Here’s a broad list of everyone who can assert Article 15 of GDPR:

• Employees associated with your organization working from any member state of the European Union (EU)
• Employees/contractors/consultants employed by an organization that falls under the EU.
• Employees/contractors/consultants currently working outside the EU’s territorial scope.

What information do I have to provide by Article 15 of the GDPR as an employer?

Article 15 of GDPR empowers individuals to obtain transparent information sets employers have on them for data processing or archiving purposes. 

Here are the specifics of the activity reports employers need to produce:

• What do you do with the data?
• The details of the categories of personal data
• Information of all parties who have/had access to said data and information on any parties you intend to share the data with soon.
• What is the general information storage period?
• What’s the source of information (if the employees themselves do not share specific attributes)
• Is their automated decision-making in place that uses their personal data?
• As an employer, it is also imperative that the employee(individual) making an access request of this nature is educated about their rights and privileges extended to them under GDPR. 
• They have the right to object their employers from processing their personal data
• They have the right to ask for erasure, updating, or redaction of their data
• They can approach any GDPR Supervisory Authority and lodge a formal complaint about their employer.

Are there certain formal requirements to Article 15 GDPR?

The European Data Protection Board (EDPB) hasn’t mandated or laid out regulations around the format of an access request. This implies:

*Individuals can ask for the information to be provided either by submitting a written request (physical/electronic) or by asking for it orally.

As an organization, you should have the means to identify a request made by a current/former employer and act accordingly within 30 days. In cases where you’d need more time to process the request, the individual should be informed about the extended time in advance, and the reason justifying the extension should be mentioned transparently.

Generally, most organizations under the purview of GDPR mandate that the users accessing their right to information make a written request. This allows them to maintain verifiable records.

In instances where the individual is requesting to access a copy of their personal information has an ulterior motive, you must comply with the rules laid down by Article 15 of GDPR and provide the individual with the information they’ve asked for.

When the individual makes an oral request, it is a good practice to address their queries through a verbal conversation while providing an electronic copy of their appeal and the actions you have taken to address it. 

As an employer of an organization, it is your responsibility to have appropriate safeguards to validate the identity of the entity making the request. This ensures that personal data is not transferred to an unauthorized person.

You are responsible for immediately providing the information you have stored. Common practice is to make this data available within 30 days from the date of request.

When you work with Sprinto, our compliance automation platform enables you to track all such access requests automatically and ensures you  don’t miss acting on any data request and risk noncompliance..

Who bears any costs incurred?

Generally, all the costs incurred for processing the information to be provided must be borne by the controllers or processors employer. 

In instances where the individual is making additional requests outside the regulation’s scope, the employer may ask the individual to contribute to the cost incurred by explaining the reason for the contribution.

For example, suppose an individual asks the employer to produce multiple copies of the information. In that case, the employer (Controller and Processor) is within their rights to give the first set at no cost to the employee and ask the employee to contribute to the cost incurred to make the copies.

Article 15 of GDPR as a law is open to interpretation by the supervisory body. That said, it is advisable for businesses to not get entangled in legal activities while they could use the time to focus on their business development.

What should I do under GDPR 15 Article to protect my business?

As an employer, you must remain compliant with GDPR at all times. To ensure continued compliance you must:

*Train employees on how to handle an access request. The GDPR training module should include documentation in its scope. With documentation, you have evidence of all the communication that happened between you (organization) and the individual with time stamps

* Ensure that you store all employee-related personal information in a manner that is easily identifiable and transferable upon request.

* Processing activities should be performed in a way that personal data concerned can be easily modified, redacted or erased on an authorized requests.

Sprinto enables organizations of all sizes to automate monitoring access requests to ensure no access request is left unattended. Acting on access requests immediately ensures that you remain compliant with GDPR, saving you millions of dollars in fines and irreparable brand defamation. See how Sprinto can help you become and remain GDPR compliant.

FAQ

What is Article 15 of GDPR?

Article 15 of the General Data Protection Regulation (GDPR) empowers the data subject to exercise their right to know the information their employers hold about them.