This right provided for in article 15 of the GDPR allows any person to ask an organisation if it holds personal data concerning him or her, and to request a copy of it in an understandable format and at a cost not exceeding that of reproduction.
If the organisation has doubts about the identity of the person, it may ask him or her to attach any document that makes it possible to prove his or her identity.
The person can therefore find out:
- What is the purpose of the processing
- What categories of personal data are processed?
- Who are the recipients to whom the personal data has been or will be communicated,
- how long the data will be kept
- The possibility of exercising other rights (right of rectification, deletion, limitation, opposition),
- The possibility of referring to the data protection authority,
However, access to certain files is particularly restricted. This is the case, for example, with certain police files or files concerning State security. The law does not authorise an individual to access information contained in these files directly. However, access may be granted indirectly via the CNIL. The same applies to files that may infringe intellectual property rights or business secrets.
How to make an access request
The request may be made verbally or in writing, through any medium (including social networks) and to any person within the organisation.
How long does the organisation have to respond to the request?
- In principle, the response time is a maximum of one month from the date of the request.
- It may be extended to three months in view of the complexity and number of requests, on the condition that the data subject is informed within one month of his or her request for right of access.
- If the request concerns health data, the response time is in principle eight days, subject to national exceptions