For organisations: right of access in practice
People have the right of access to the personal data that organisations process of them. This allows people to check whether their personal data is correct. They can also use this right to check whether organisations adhere to the rules when processing their data. On this page you can read how you as an organisation need to deal with requests for access.
On this page
Tips for handling requests
Do you, as an organisation, receive a request for access? If so, consult the general information for organisations about privacy rights in practice first. This page explains how you as an organisation can prepare for requests, among other things. And how you handle these requests.
In addition, there are some points to pay attention to in the following situations regarding the right of access.
Lack of clarity about what data someone wants access to
Is it not clear what personal data someone wants access to? And does it concern a lot of data? Then contact this person to ask what exactly he or she wants access to. Always confirm in writing what you have discussed. This avoids misunderstandings.
Provision of a copy of personal data
Provide a copy of the personal data that someone wants access to. Copies of entire documents are usually not necessary. Making an overview of the personal data often suffices.
This overview allows the applicant to check what personal data you process about this person, whether the personal data is correct and whether you process the personal data correctly (i.e. according to the rules).
Overview of personal data
In this overview you copy all personal data you process of the applicant, unless agreed otherwise with that person. You copy the personal data from the documents containing this data. You then collect all personal data and send this overview to the applicant. Would you like to know what such an overview looks like? If so, view our Access to personal data sample overview.
It must be a complete overview. Therefore, certain personal data may occur more often. For example: if you have recorded someone's name and address in more than one location.
You may also need to provide information about the type of document containing the personal data. For example, by explaining that the personal data occurs in an e-mail or by referring to a file name. The important thing is that the person making the request can clearly understand how you process the personal data.
Exception: Copies of entire documents
Sometimes you need to send copies of entire documents instead of a summary of copied personal data. But that's in exceptional cases only.
This exception applies, for example, when the person making the request needs the entire document in order to exercise privacy rights under the GDPR. Such as the right to rectification or erasure.
You must also send complete documents when the person making the request needs these documents to understand the context in which your organisation processes the personal data.
Note: If you send copies of entire documents, you must consider the privacy of other people. Does the document contain personal data of people other than the person making the request? In that case, you must erase or redact this personal data.
Personal data you do not have to provide
You must provide the applicant with access to personal data so that he or she can check whether it is correct. This means you do not have to provide access to:
- An opinion, statement or personal note from an employee in your organisation.
- A professional analysis of the personal data of the person making the request, such as a legal analysis in a procedure, or a financial report from a bank.
Giving information about access to personal data
People also have the right to know who within your organisation has had access to their personal data. Does someone who submits a request for access to you ask about this? Then you provide an overview of (categories of) employees who have had access. You compile this overview on the basis of your log files.
Giving information about the processing
In addition to a copy of the personal data, you also have to give information about the processing if someone makes a request for access.
Charging costs for extra copies
If the applicant wants extra copies, you are allowed to charge a reasonable fee for them.