In this second article we want to focus on the right of access governed by article 15 of the GDPR. This is the right of access to his own data by the interested party.
The interested party has the right to obtain from the data controller the confirmation that personal data processing is being processed or not and, if so, to obtain access to such data and to receive some information regarding how those data has been received, for what purpose and how it is used.
GDPR regulation also provides that the interested party has the right to know, in particular, the protections exercised by the data controller in case of data transfer towards third countries, as well as the logic on which an automated process is based, such as profiling, and the functioning of these mechanisms and the possible consequences and their use, as well as data processing.
If we consider the common example of the e-mail application the possibility of being able to give complete and truthful information about the various automated processes involving personal data is at least in doubt.
The right of access can also be exercised several times and even on a periodic basis. Indeed, in accordance with the GDPR, data controller should create a system to allow the interested party to remotely access a secure system in order to verify his own data directly. This also represents a fulfillment that is difficult to achieve in the absence of a suitable system. In fact, companies often collect data via the web through the formats on their site but do not then have a private area which may guarantee the data access and the consequent protection of the interested party’s rights.
The interested party has the right to receive the requested information from the data controller by exercising his right of access as soon as possible and, in any case, within a maximum of one month.
The information must be given free of charge to the interested party, except in the exceptional case in which the data controller has to bear significant technical costs, or the requests of the interested party have proved to be unfounded or excessive.
Usually, the answer must be given in writing. The same Regulation, then, specifies that when the interested party makes requests using electronic means, the responses from the data controller must also use the same methods.
Finally, there is an additional aspect to consider. First of all, the data controller also on this occasion is required to observe all the security measures necessary for data protection. In particular, with reference to verifying the identity of the person requesting access, with particular attention to cases where this occurs directly online. In the end, the exercise of the right in question must not lead to violations of rights of others: for example, it refers to trade secrets and industrial property rights (eg the protection of copyright in software).