Lexicon > Right of access

IT Glossary

Right of access

The right of access to personal data is one of the seven rights that data subjects have over their personal data enshrined in the GDPR, namely:

It contributes to the transparency of the processing operations carried out by the data controller.

Under the right of access, the data subject may request from the controller confirmation as to whether or not personal data relating to him or her are being processed and, where they are, access to such personal data.

The data subject shall also have the right to obtain from the controller information concerning:

  • To the purposes of the processing of his personal data;
  • The categories of personal data processed by the controller;
  • To the possible recipients of his personal data;
  • How long the personal data will be kept or, if this is not possible, the criteria used to determine this period;
  • To the existence of the right to request rectification and erasure of personal data, limitation and opposition to their processing and the right to lodge a complaint with the supervisory authority;
  • At the source of the personal data when they have not been collected from the data subject;
  • The existence of automated decision-making, including profiling.

Furthermore, when personal data are transferred to a third country or to an international organization, the data subject has the right to be informed about the appropriate safeguards in place.

The data subject may also request a free copy of the data processed by the data controller, provided that such copy does not infringe the rights and freedoms of others. The controller may only charge a reasonable fee based on administrative costs for any additional copies requested by the data subject.

RGPD Point

Provision should be made to facilitate the exercise by the data subject of his or her rights under this Regulation, including the means of requesting and, where appropriate, obtaining free of charge, inter alia, access to and rectification or erasure of personal data and the exercise of a right of objection. The controller should also provide the means to make requests electronically, especially where personal data are processed electronically. The controller should be obliged to respond to requests from the data subject as soon as possible and at the latest within one month and to give reasons for not responding to such requests.

Recital 59 of the GDPR

Point of jurisprudence

The Hungarian supervisory authority recalls that ”
the essential obligation of Article 15 of the Data Protection Regulation (
i.e. on the right of access)
is that it requires the provision of targeted and clear information to data subjects in relation to their personal data

Nemzeti Adatvédelmi és Információszabadság Hatóság, 16 December 2020, N°NAIH / 2020/6484

The Bouchara firm assists you in particular in :

  • The processing of requests for the exercise of rights of data subjects within the time limits set out in the GDPR;
  • Making your organization RGPD compliant;
  • The drafting of data protection policies (privacy policy, computer charter …);
  • Documentation of your processing (register of processing activities, register of violations, privacy impact analysis, prior consultation…);
  • Obtaining certifications and adhering to codes of conduct;
  • The study of the legal feasibility of the implementation of a new personal data processing;
  • The drafting and transmission of your codes of conduct to the CNIL for approval;
  • Legal analysis of the compliance of your data processing, including data transfers outside the European Economic Area;
  • Drafting and negotiating your data processing agreements (DPA);
  • Drafting your Binding Corporate Rules (BCR) and Codes of Conduct;
  • Training and awareness of your employees.

We are also the external Data Protection Officer of many data processors and subcontractors.