Right of access
The right of access empowers data subjects to obtain from you confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, a copy of that personal data. Furthermore, they are also entitled to request the following information:
- the purposes of the processing;
- the categories of personal data concerned (health, financial, professional…);
- the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
- the envisaged period for which the personal data will be stored;
- the existence of the right of rectification, erasure, restriction or objection and the right to lodge a complaint with a supervisory authority;
- where the personal data are not collected from the data subject, any available information as to their source;
- the existence of automated decision-making, including profiling, information about the logic involved, the significance and the envisaged consequences.
Any of the privacy information mentioned above must be provided free of cost. However, for any further copies of the personal data that you are requested you are allowed to charge a reasonable fee based on administrative costs.
As explained below, you may also charge a fee or refuse to respond to a request when that request is unfounded or excessive, particularly because of their repetitive character.
Where a request is to be considered unfounded or repetitive is a matter which is left open in the GDPR, therefore it must be addressed by the Member State law.
In Spain, the Spanish Data Protection Act (LOPDGDD) states that an access request shall be deemed as repetitive where there are more than one requests within a period of six months, unless there is a legitimate cause.
Conversely, the request shall be deemed excessive when carried out by means other than those made available by the controller. In that case, the requesting party will bear the exceeding costs of their election and the controller will be entitled to respond to the request with no deadline but without undue delays.