Right of access
[ch 4: page 27]In a similar way to the subject access request under the DPA (see above), a data subject has the right under Article 15 of the GDPR to know whether a data controller is processing personal data about him or her. The most significant difference is that the data controller must generally provide the information under the GDPR free of charge. The data subject should be able to exercise that right easily and at reasonable intervals in order to be aware of and verify the lawfulness of the processing.
Article 15 provides that, where his or her personal data is being processed, the individual has the right to access both the data and the following information:
• the purposes of the processing;
• the categories of personal data concerned;
• who the data has been or will be disclosed to;
• how long the data will be stored, if possible, and if not possible, the criteria used to decide how long it will be stored;
• his or her right to request rectification, erasure or restricted processing of personal data, or to object to the processing;
• the right to lodge a complaint with a supervisory authority (the ICO);
• if the data was not collected from the individual, any information about where it came from; and
• the existence of automated decision-making, including profiling, and meaningful information about the logic and consequences of that processing.