Data subjects’ right of access to their personal data.
The right of access to personal data is a means for data subjects to consult and control what personal data you may hold on them.
AGN Avocats takes a look at the implementation of a person’s right of access to their personal data.
Do I have to respond to a request for access to personal data?
When someone requests access to their personal data, you are obliged to respond to that request.
The response you provide must be exhaustive, and include all the information relating to the person making the request. If there are any doubts about the completeness of the response, you may be asked to supplement it. If the person making the request is still not satisfied with the additional information provided, they are entitled to lodge a complaint with the CNIL.
To protect yourself against any possible recourse, it is advisable to keep a copy of exchanges with the inquirer.
Do I need to check the identity of the person making the request?
If you have reasonable doubts about the identity of the person requesting access to their personal data, you can request that any document proving their identity be attached to the request.
This will prevent identity theft. You may not, however, request any supporting documents that would be disproportionate. We recommend that you limit such checks to the person’s identity card.
What personal data must I to provide?
In principle, all data concerning the person making the request must be provided. However, there are certain limits to this principle.
The right of access to a person’s personal data must in no way prejudice the rights of third parties. Thus, only data concerning the person making the request may be communicated. For example, you may not send a person personal data concerning their spouse.
The right of access to personal data must not infringe on your organization’s business secrets or intellectual property.
If necessary, if a piece of data also concerns a third party, or presents a risk to business secrecy, it is necessary for the organization to anonymize said data.
Furthermore, if you consider a request to be excessive or unfounded, you can refuse it, but must justify the “unfounded” or “excessive” nature of the request.
How should I send the requested data?
In practice, data communication is more than just consulting the data. Those making the request receive a document, the form of which is free and can vary.
The response format can be a paper document, an e-mail, or even a CD-ROM if required.
What is the deadline for replying to a data access request?
In principle, a request for access to personal data should be answered as quickly as possible.
However, the response must be made at the latest within one month of the request. This deadline may be extended to three months if the request is particularly complex, or if you receive too many requests.
However, if the deadline is extended, you must notify the inquirer within one month of the request of the reasons for the extension.
If, after the one-month deadline, you have still not provided a response, or if you refuse to grant the request, the matter may be referred to the CNIL. In parallel with a referral to the CNIL, you may be asked to “freeze” the data, corresponding to a strict limitation on the processing of personal data.
Are there fees for exercising this right?
While exercising this right is free of charge in principle, you may be asked to pay a fee for processing your file, particularly if you require additional copies of the data.
Our lawyers are at your disposal to answer all your questions and advise you. Our meetings can be held face-to-face or by videoconference. You can make an appointment directly online at www.agn-avocats.com.
AGN AVOCATS – Intellectual property
09 72 34 24 72