Right of access to personal data

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search

The Right of Access, also referred to as Right to Access and [data] subject access, is one of the most fundamental rights in data protection laws around the world. The European Union states that: "The right of access occupies a central role in EU data protection law's arsenal of data subject empowerment measures." [1] This right is often operationalised as a Subject Access Request.


The right of access is enshrined as part of the fundamental right to data protection in the Charter of Fundamental Rights of the European Union. It is in fact the only one of the practical rights relating to personal data that is listed there.

In the GDPR this right is defined in various sections of Article 15. There is also a right to access in the GDPR's partner legislation, the Data Protection Law Enforcement Directive.[2] When the EU Directive is transposed into Member State national law, the right of access may be suspended or restricted, as in the case of Germany in Article 34 of its Bundesdatenschutzgesetz.[3] Moreover, on the European level, Europol offers a right of access. [4]

In the current Member State United Kingdom, the website of the Information Commissioner's Office states regarding Subject Access Requests (SARs)[5]: "You have the right to find out if an organisation is using or storing your personal data. This is called the right of access. You exercise this right by asking for a copy of the data, which is commonly known as making a ‘subject access request". Before the General Data Protection Regulation (GDPR) came into force on 25 May 2018 organisations could charge a specified fee for responding to a SAR, of up to £10 for most requests. Following the GDPR: "A copy of your personal data should be provided free in a commonly used and machine readable format[6]. An organisation may charge for additional copies. It can only charge a fee if it thinks the request is ‘manifestly unfounded or excessive’. If so, it may ask for a reasonable fee for administrative costs associated with the request."

United States[edit]

Five federal laws include a right of access to personal data:

In addition, some state laws like the CCPA California Consumer Privacy Act have started to include this right.

Transatlantic data flows[edit]

Transatlantic data flows (or at least those going West, towards the US) are governed by the EU–US Privacy Shield. One of the Privacy Shield principles is the right of access.[7] Indeed, it is most fundamental in enabling accountability mechanisms around personal data processing. This example demonstrates that a European-style conception of privacy does not necessarily have to be perceived by American actors as unduly imposing new restrictions on free speech by data subjects.

This Privacy Shield practice also shows that the case of civilian data protection (as under GDPR) is quite different from the case of criminal investigation, where a right of access is exercised as a "data request" by a government, not an individual, as in the US Supreme Court case Microsoft Corp. v. United States. The individual in criminal cases does maintain a right to know what data is being used about him/her, and of what crime s/he is accused. [8]

United Nations[edit]

The aspirational Sustainable Development Goal 16, target 9, calls for the provision of legal identity for all human beings. "In the digital economy, this becomes the right to a digital identity."[9] Such an identity could help in filing Subject Access Requests.

See also[edit]

Further reading[edit]

  • Norris, Clive, Antonella Galetta, Paul de Hert, and Xavier L'Hoiry. 2016. The Unaccountable State of Surveillance: Exercising Access Rights in Europe (book).


  1. ^ Ausloos,, Jef; Dewitte, Pierre (20 January 2018). "Shattering One-Way Mirrors. Data Subject Access Rights in Practice". International Data Privacy Law (2018) 8(1), pp.4-28. Retrieved 6 February 2019.CS1 maint: extra punctuation (link)
  2. ^ "Individuals have the right to have certain information made available to them by the law enforcement (i.e. data protection) authorities", Protecting personal data when being used by police and criminal justice authorities (from 2018), Summary of Directive (EU) 2016/680, https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=LEGISSUM:310401_3&from=EN
  3. ^ Article 1, Federal Data Protection Act, (BDSG), https://www.bvdnet.de/wp-content/uploads/2017/08/BMI_%C3%9Cbersetzung_DSAnpUG-EU_mit_BDSG-neu.pdf
  4. ^ https://www.europol.europa.eu/right-of-access
  5. ^ "Your right of access". Information Commissioner's Office. Archived from the original on 26 May 2018. Retrieved 25 May 2018. Cite uses deprecated parameter |dead-url= (help)
  6. ^ "what are the rights of data subjects under GDPR?". TrueVault. TrueVault.
  7. ^ "Privacy Shield Framework". U.S. government. Retrieved 11 January 2019.
  8. ^ "Working paper on Standards for data protection and personal privacy in cross-border data requests for criminal law enforcement purposes 63rd meeting, 9-10 April 2018, Budapest (Hungary)" (PDF). Retrieved 11 January 2019.
  9. ^ "A/CN.9/WG.IV/WP.158 - Explanatory Remarks on the Draft Provisions on the Cross-border Recognition of Identity Management and Trust Services, Section II, paragraph 6". United Nations Commission on International Trade Law, Working Group IV: Electronic Commerce, 58th session, 8-12 April 2019, New York. Retrieved 27 April 2019.