Citizens of European Union (EU) member states enjoy robust personal data protection rights. These rights are defined in the EU General Data Protection Regulation (GDPR), which any business that processes or comes into contact with EU citizens’ data must follow. One aspect of the GDPR is the right of access to personal data, which applicable companies must uphold no matter where they’re located or what their business model is.
The EU GDPR Right of Access to Personal Information
The GDPR right of access to personal data breaks down into three critical rights defined in GDPR Chapter 3, Section 2. These comprise rights of information about and access to data:
- The right to being notified when data is collected from the subject, per Article 13
- The right to being notified when data isn’t collected from the subject, per Article 14
- The right of access to data collected from or pertaining to the subject, per Article 15
The following sections will dive deeply into each of these rights and what companies can do to uphold them for GDPR compliance. RSI Security can help you build out any required controls.
Article 13: The Right to Notification When Data Is Collected
GDPR personal data access rights pertain to the data itself and various metadata about collected records, including that they have been collected, by whom, and how, per Article 13.
Four applicable rules substantiate this right, two of which break down into smaller specifications. As a whole, the GDPR is structured as a series of Articles collected into Sections and Chapters. The Articles present rule clauses as numbered Paragraphs and list any individual specifications thereof as points in bulleted, lowercase letters. For example, point (a) of 13(1) refers to the first bullet in the first paragraph of Article 13 (see next section).
Article 13 Paragraph 1: Initial Notification Provided to Data Subject
In any situation in which personal data about an individual is collected from that individual, the data controller responsible for the collection must notify the data subject when it is collected. A data controller is any GDPR-eligible company or a defined executive representing it. The data subject is the individual to whom the data belongs.
According to GDPR 13(1), notice to subjects must provide the following:
- Contact information for the data controller, such as names, telephone numbers, or email addresses of the controllers themselves or representatives thereof, where applicable
- Contact information for the GDPR Data Protection Officer (DPO), where applicable
- The purposes for which the data in question was collected, such as what processing procedures will be applied to it and an applicable legal basis for the processes
- The data controller’s legitimate interests that provide the grounds for the collection, per point (f) in Article 6(1), for any case in which this is the only basis for the processing
- The direct recipients of the data, if any, or the categories of recipients of the data
- The intention of the data controller to transfer the personal data to a third party or country, to the extent that the intention exists—including providing notice about any applicable adequacy decisions made by the EU Commission, details regarding the transfer of data per Articles 46, 47, and 49, and how to obtain copies of the data
Staying compliant with this rule requires scanning and visibility to detect all new instances of data collection, along with capacities to halt processes until notice and consent are exchanged.
Article 13 Paragraph 2: Requirements for Data Processing Notice
The data controller must also provide notice to the data subject, at the time when data is collected, of any further information needed to ensure safe processing. Examples include:
- The expected period for which data will be stored, or—if it is impossible to calculate accurately—adequate notice regarding the factors that would determine this duration.
- The existence of relevant rights of the data subject, as defined across GDPR Chapter 3.
- The right to withdraw consent at any time, without impacting the lawfulness of the data processing, for any process based on point (a) of Article 6(1) or point (a) of Article 9(2).
- The right to file a formal complaint about data processing with a supervisory authority.
- Any applicable contractual agreements or status contingent upon the data transaction, including any potential consequences for data subject for failure to uphold their end.
- The existence of any automated data processes for decision making, such as profiling (e.g., information on logic and possible consequences) detailed further in Article 22
Controls needed for this rule mirror those required for 13(1)—visibility infrastructure is necessary.
Article 13 Paragraph 3: Additional Notification for Added Processes
For any circumstance in which the data controller intends to further process collected data beyond the initially communicated scope, they must notify the subject prior to engaging in any as-yet-undisclosed processes. These disclosures must follow the same rules detailed above.
13(3) requires companies to exercise control over existing data processes and processing agreements, including infrastructure implementations for facilitating real-time notification and consent renewals.
Article 13 Paragraph 4: Exception Nullifying 13(1), 13(2), and 13(3)
Paragraphs 1, 2, and 3 of Article 13 only apply if the data subject doesn’t already have all information about data collection. If they have already been informed, 13(1), (2), and (3) are null.
There are no additional controls required for, nor that could facilitate, following this rule.
Article 14: The Right to Notification When Data Isn’t Collected
The GDPR rights to access of information regarding personal data collection also pertain to the absence thereof—again, both for data subjects’ personal records themselves and any metadata concerning them—per Article 14. This includes instances where the data controller obtains data belonging to the data subject but not via direct collection.
Five Paragraphs substantiate the applicable rules companies must follow to uphold this right for data subjects; all Paragraphs but one break down into specific points.
Article 14 Paragraph 1: Initial Notice Regarding Data Possession
In any situation where personal data is obtained by a data controller but not collected directly from the data subject, the controller must notify the subject. The specific requirements for this notice are nearly identical to those defined in Article 13(1) above:
- Contact information for the data controller or their representative, where applicable
- Contact information for the DPO in charge of the personal data, where applicable
- Information regarding the data processing purposes and legal basis for processing
- The specific categories of personal data obtained, to the extent they fit categories
- The recipients of the personal data, or categories thereof, if intended for transmission
- The intention to transmit to a third party or country, equivalent to point (f) in Article 13(1)
The only differences between these specifications and those detailed above for 13(1) are that these primarily concern data obtained through third-party or other indirect means. Companies should consider implementing a third party risk management (TPRM) solution to help ensure compliance.
Article 14 Paragraph 2: Additional Requirements for Notification
As with 13(2), the data controller must provide additional information to the data subject that is required for fair and safe processing of their data. The specific requirements for the notice are:
- The expected duration for which the data will be stored, or factors to determine it
- The legitimate interests of the data controller that justify processing, per Article 6(1)
- The existence of the data subject’s right to request access to the data, the rectification thereof, or a restriction of processing, along with other rights detailed across Chapter 3
- The right to withdraw consent, per Articles 6 and 9, laid out in point (c) of Article 13(2)
- The right to file a formal complaint about data processing with the supervisory authority
- The source(s) from which the data originate and whether they were public or private
- The existence of automation, per Article 22, as detailed in point (f) of Article 13(2)
Again, these rules are nearly identical to the corresponding ones in Articles 13(1) and 13(2). However, point (f) introduces a new aspect concerning companies’ vigilance and visibility.
Article 14 Paragraph 3: Timelines for Disclosure of Data Processing
Unlike in Article 13(1), the notifications detailed in Articles 12(1) and 12(2) are not required to be sent immediately or without delay. Instead, data controllers must provide the notification within:
- A reasonable amount of time after obtaining the data (one month at most), considering the obtainment and intended processing methods
- The time of first communication with the data subject, for cases where the personal data obtained is related to communication with the subject (i.e., contact information)
- The time of first disclosure to another recipient, if that disclosure is envisaged
This rule actually allows for more flexibility for companies processing EU citizens’ data if it’s obtained from public or third-party sources. However, open communication channels are still required.
Article 14 Paragraph 4: Additional Notification for Different Processes
A new notice is required if the data controller intends to use the data for any other purpose beyond the reasons specified upon initial obtainment. Specifically, the data controller needs to provide notice equivalent to or exceeding the information detailed in Articles 14(1) and 14(2). As with Article 13(2), no additional controls are needed beyond robust visibility infrastructure.
Article 14 Paragraph 5: Exceptions Nullifying 14(1) through 14(4)
Like Article 13, Article 14 ends with a disclaimer nullifying its preceding rules in 14(1)-(4), if:
- The data subject is already fully aware that the data controller has obtained their data.
- The provision of information detailed in 14(1)-(4) is impossible, disproportionately burdensome to achieving stated scientific or public-interest purposes, as defined in Article 89(1); in these cases, the controller must still protect other data subject rights.
- The obtainment or disclosure of data is overseen by an EU State’s laws to which the data controller is subject, providing appropriate protections superseding 14(1)-(4).
- The personal data is bound to confidentiality by the EU or an EU Member State.
As with 13(4), no additional controls are required for, nor facilitate, following these rules.
Article 15: The Right of Access to Personal Data by the Subject
Finally, the GDPR rights to access of information concern personal data proper, insofar as the controller has obtained it from the data subject or a third party. In practice, companies need to be ready to provide additional notices upon request. This Article concerns the specific data processes used on the data, along with clear, complete communication thereof, per four Paragraphs. Only the first Paragraph, Article 15(1), breaks down further into applicable points.
Article 15 Paragraph 1: Availability of Data Processing Information
The data controller must make information pertaining to a data subject’s data available upon request from the data subject. This applies in addition to the notices detailed in Articles 13 and 14. The information required includes details related to processing, including the following:
- The intended purposes of any processes likely to be enacted on the subject’s data
- The categories of the to-be-processed personal data owned or operated by the controller
- The recipients or categories thereof to whom data is disclosed, pre- or post-process
- The period for which data will be stored, if known, or factors to calculate duration
- The data subject’s rights to request rectification of the data or restriction of processes
- The data subject’s right to file a formal complaint with the relevant supervisory authority
- Any available information about the source(s) of data, if not collected from the subject
- The existence of automation, per Article 22, as detailed in point (f) of Article 13(2)
There is much crossover and overlap here with Articles 13 and 14. However, a key difference is that companies need to be ready to provide this information to data subjects at any time. On-demand facilitation requires storage and easy access to the information, ideally via centralized dashboard functionality. A file integrity monitoring (FIM) or security information and event management (SIEM) is apt for this.
Article 15 Paragraph 2: Availability of Information on Data Transfers
Data controllers must acquiesce to data subjects’ requests for information pertaining to the transfer of their data to a third country or any information related to safe transfer (per Article 46).
These requests may be made at any time, so companies need to keep records long after transfers are made. This is another rule for which TPRM or FIM assist compliance efforts.
Article 15 Paragraph 3: Copies of Data Undergoing Data Processing
Data controllers must provide at least one copy of any individual piece of personal data to the data subject if it is undergoing processing. Beyond the first copy, the data controller may charge a reasonable fee to the data subject for any subsequent copies, commensurate to the administrative costs of creation, maintenance, and distribution.
All copies may be provided in widely used electronic forms unless requested otherwise. Following this rule requires extra bandwidth and server capacities to handle all potential copy requests. Automation also helps.
Article 15 Paragraph 4: Restrictions on the 15(3) Right to a Copy
As with Articles 13 and 14, Article 15 ends with a disclaimer. However, this is specific to 15(3)—the right to a copy must not adversely affect any other individual’s rights or freedoms. If, and to the extent that it does, the right to a copy will be nullified. No extra controls are needed for this rule.
Rethink Your EU GDPR Compliance and Overall Cybersecurity
Maintaining EU GDPR compliance presents organizations with significant challenges. First, the framework is relatively new, and companies based in the U.S. especially must onboarding many new controls all at once. Second, the framework itself is extremely robust—the Articles detailed in this blog are just three of the GDPR’s total 99. And, finally, continuously changing security and cybercrime environments complicate all regulatory compliance.
RSI Security is dedicated to helping companies protect their clients’ right of access to personal data and all other GDPR-guaranteed rights.
To get started on compliance, contact RSI Security today!