Data Rights: right to access FAQ
Some frequently asked questions about the right to access your personal data.
The right to access your personal data (or access right) is just one of a number of data rights that may be found in data protection law, including the European Union's General Data Protection Regulation. Data Subject Access Requests, or DSARs, have helped us several times understand the extent of data companies and governments might hold on us, how this data might be shared among various recipients, or what other third parties a company might be using to obtain additional data and enrich their user profiles, for example.
Baed on our own experience, we have put together a series of Frequently Asked Questions (FAQ) which you will find below. Although our suggestions are neither exhaustive nor the only way to effectively exercise data protection rights, we hope they make the process easier for users to exercise their rights, specifically the right of access, esnhrined in the GDPR.
Please note that PI is not in a position to advise you individually on your request, and has not been nor will be legally representing you in connection with any request you make. You are responsible for providing any additional information or submissions to the companies you contact or to any regulatory body with which you may file a complaint.
1. What is the right of access?
The right to access your personal data is just one of a number of data rights that may be found in data protection law, including the European Union's new law, the General Data Protection Regulation, better known as "GDPR".
You have the right to ask to be provided with a copy of all personal data together with accompanying information regarding their processing and, in most cases, the data controller must comply
2. Where does the right of access apply?
The right to access your personal data is one of the data rights in the EU's GDPR, which took effect in May 2018. Companies have the obligation to respect the rights in GDPR if they are based in the EU or process personal data of people in the EU. Many companies that PI investigates have operations in the EU, but where they have separate operations in other countries the data rights in GDPR will unfortunately not always apply. Whilst PI is pushing for strong data protection laws around the world and for companies to respect individuals rights around the world, there is still a gap in legislation, implementation, and enforcement in many countries.
3. Can PI help me with my Data Subject Access Request (DSAR)?
Privacy International is not in a position to advise you individually on your request, but we have provided high level directions below. We've tried to provide you with as much information upfront as possible, including some of our own experiences in requesting access to our data. Privacy International has not been nor will be legally representing you in connection with your request. You are responsible for providing any additional information or submissions to the companies you contact or to any regulatory body with which you may file a complaint.
4. What if the companies do not respond to my request(s)?
Based on our own experience, we know that exercising your access rights is not always smooth sailing. The guide below should provide you with some tips and includes suggestions if a company does not respond to your request.
Companies are obliged to respond within a month (although the clock stops whilst they are waiting for you to answer any questions they may ask you - so try to respond to them quickly so as not to slow down the process). If the companies do not fulfil your request, you can complain to the Data Protection Authority where you live. A list of the Data Protection Authorities in the EU and their contact details can be found here: https://edpb.europa.eu/about-edpb/board/members_en. If you do not live in the EU, a good place to start is the Data Protection Authority of the country where the company is based.
5. Are there other tools to help me exercise my data rights?
Other NGOs have been working on tools to support individuals to exercise these rights. Here are a few: Data Rights Finder, My Data Done Right, personaldata.io ...