Blog
sprinto angle right
GDPR
sprinto angle right
GDPR Article 15 Right of Access by the Data Subject

GDPR Article 15 Right of Access by the Data Subject

Vimal Mohan
Vimal Mohan
Talk to an Expert
article 15 gdpr

Article 15 of the General Data Protection Regulation (GDPR) empowers the data subject to exercise their right to know the information their employers hold about them. Are your employees (current/former) asking you to produce the information you have about them? Should you consider oral requests, What’s the TAT for response time and what are the instances that could lead to non-compliance?

If you are undergoing GDPR compliance for the first time, this is super important. And for those who are already compliant and are looking to improve your compliance posture, this is for you too.

Here, we dive deep into the fundamentals of EU GDPR’s Article 15 codes of conduct to help you understand how you could undertake activities processing of personal data efficiently.
We will also highlight the things to keep in mind to ensure that you are processing personal data as advised by supervisory authorities.

Who can assert the Right to Information under Article 15 of GDPR?

Every employee, including contractors and consultants, is entitled to assert Article 15 rights provided the organization falls within GDPR scope, regardless of where in the world those individuals are based.

Here’s a broad list of everyone who can assert Article 15 of GDPR:

  • Employees associated with your organization working from any member state of the European Union (EU)
  • Employees/contractors/consultants employed by an organization that falls under the EU.
  • Employees/contractors/consultants currently working outside the EU’s territorial scope.

What information do I have to provide by Article 15 of the GDPR as an employer?

Article 15 empowers individuals to obtain transparent records of their data. Privacy management software helps organizations track and organize what they hold across data categories so they can respond accurately and completely to these requests.

Here are the specifics of the activity reports employers need to produce:

  • What do you do with the data?
  • The details of the categories of personal data
  • Information of all parties who have/had access to said data and information on any parties you intend to share the data with soon.
  • What is the general information storage period?
  • What’s the source of information (if the employees themselves do not share specific attributes)
  • Is their automated decision-making in place that uses their personal data?
  • As an employer, it is also imperative that the employee(individual) making an access request of this nature is educated about their rights and privileges extended to them under GDPR. 
  • They have the right to object their employers from processing their personal data
  • They have the right to ask for erasure, updating, or redaction of their data
  • They can approach any GDPR Supervisory Authority and lodge a formal complaint, potentially triggering GDPR fines and penalties that can reach up to 4% of annual global turnover.

Are there certain formal requirements to Article 15 GDPR?

The European Data Protection Board (EDPB) hasn’t mandated or laid out regulations around the format of an access request. This implies:

*Individuals can ask for the information to be provided either by submitting a written request (physical/electronic) or by asking for it orally.

As an organization, you should have the means to identify a request made by a current/former employer and act accordingly within 30 days. In cases where you’d need more time to process the request, the individual should be informed about the extended time in advance, and the reason justifying the extension should be mentioned transparently.

Generally, most organizations mandate that data access requests be submitted in writing to maintain verifiable records. This formal approach is one of many practices covered in how to build a compliance program that meets GDPR’s documentation requirements.

In instances where the individual is requesting to access a copy of their personal information has an ulterior motive, you must comply with the rules laid down by Article 15 of GDPR and provide the individual with the information they’ve asked for.

When the individual makes an oral request, it is a good practice to address their queries through a verbal conversation while providing an electronic copy of their appeal and the actions you have taken to address it. 

As an employer of an organization, it is your responsibility to have appropriate safeguards to validate the identity of the entity making the request. This ensures that personal data is not transferred to an unauthorized person.

You are responsible for immediately providing the information you have stored. Common practice is to make this data available within 30 days from the date of request.

GDPR compliance software enables you to track all such access requests automatically and ensures you don’t miss acting on any data request or risk noncompliance

Who bears any costs incurred?

Generally, all the costs incurred for processing the information to be provided must be borne by the controllers or processors employer. 

In instances where the individual is making additional requests outside the regulation’s scope, the employer may ask the individual to contribute to the cost incurred by explaining the reason for the contribution.

For example, suppose an individual asks the employer to produce multiple copies of the information. In that case, the employer (Controller and Processor) is within their rights to give the first set at no cost to the employee and ask the employee to contribute to the cost incurred to make the copies.

Article 15 of GDPR as a law is open to interpretation by the supervisory body. That said, it is advisable for businesses to not get entangled in legal activities while they could use the time to focus on their business development.

What should I do under GDPR 15 Article to protect my business?

As an employer, you must remain compliant with GDPR at all times. To ensure continued compliance you must:

*Train employees on how to handle an access request. The GDPR training module should include documentation in its scope. With documentation, you have evidence of all the communication that happened between you (organization) and the individual with time stamps

* Ensure that you store all employee-related personal information in a manner that is easily identifiable and transferable upon request.

* Processing activities should ensure personal data can be easily modified, erased, or transferred. The related GDPR right to data portability under Article 20 further requires that data be provided in a structured, machine-readable format upon request.

Sprinto enables organizations of all sizes to automate monitoring access requests to ensure no access request is left unattended. Acting on access requests immediately keeps you compliant with GDPR. Understanding your GDPR compliance costs upfront helps organizations weigh the penalty exposure against the investment in building a proper Article 15 response process.

See how Sprinto can help you become and remain GDPR compliant.

FAQ

What is Article 15 of GDPR?

Article 15 of the General Data Protection Regulation (GDPR) empowers the data subject to exercise their right to know the information their employers hold about them.

What is the time limit for responding to a request under Article 15 of GDPR?

Organizations must respond without undue delay and within 1 calendar month; complex or multiple requests can be extended by up to 2 further months if the requester is notified within the first month.

Are there any exemptions under Article 15 of GDPR for data access requests?

Access can be limited where disclosure would adversely affect others’ rights and freedoms, including confidentiality, trade secrets, or intellectual property. Requests may also be refused or charged for if they are manifestly unfounded or excessive.

Who can receive a subject access request SAR under article 15 of UK GDPR?

A SAR is usually made to the data controller, not the processor. The controller decides why and how personal data is processed, while the processor acts on the controller’s instructions.

What is Article 15 UK GDPR and how does it apply?

Article 15 gives individuals the right to access their personal data and understand how and why it is used. It requires the data controller to confirm whether personal data is being processed, provide a copy of the data, and share related details upon request.

What is the GDPR right to access personal data?

Under GDPR Article 15, individuals have the right to obtain confirmation of whether their personal data is being processed, access that data, and receive details about how and why it is used.

Vimal Mohan
Author

Vimal Mohan

Vimal is a Content Lead at Sprinto who masterfully simplifies the world of compliance for every day folks. When not decoding complex framework requirements and compliance speak, you can find him at the local MMA dojo, exploring trails on his cycle, or hiking. He blends regulatory wisdom with an adventurous spirit, navigating both worlds with effortless expertise
Subscribe to Ctrl+GRC

Go beyond the surface and uncover the governance, risk, and compliance insights that actually matter.

spin-ticket
Spin to win big
angle-golden
Grab your top 1% ticket Subscribe to our newsletter to spin.

Win digital goodies for boardroom success
wheel-marker
spin-ticket-golden
Congratulations! You’ve unlocked
Boardroom-Ready Insights Check your inbox for your reward
Introduce autonomy in your compliance stack
Talk to an Expert
Cut audit costs and effort by 50%
Talk to an Expert

Explore more

Tired of fluff GRC and cybersecurity content? Subscribe to our newsletter and get detailed
research & insights curated to help you earn a seat at the table.
single-blog-footer-img