Module 5 · Access and rectification (Articles 15 & 16)
Two foundational data subject rights. The right of access (Article 15) lets a person obtain confirmation that their data is processed, a copy of their personal data and details about the processing. The right to rectification (Article 16) lets them correct inaccurate data and complete incomplete data without undue delay, generally within one month.
Under the right of access (Article 15) the controller must, on request, confirm whether it is processing the person's data and, if so, provide a copy of the personal data plus details: the purposes; categories of data; recipients (especially in third countries); the retention period or criteria; the rights to rectify, erase, restrict, object and complain; the source if not collected from the data subject; the existence of automated decision-making with its logic, significance and envisaged consequences; and safeguards for international transfers.
- Controller must verify identity before disclosing.
- Access is free of charge - a fee is allowed only for additional copies or manifestly unfounded/excessive requests.
- Provide in the same format as the request where possible.
- The data subject needs no reason to make an access request.
The right to rectification (Article 16) requires correcting inaccurate data and completing incomplete data without undue delay, generally within one month. The data subject may add a supplementary statement. A refusal must be explained (within ~one month) and the data subject may complain or seek a remedy. Rectification must propagate across ALL systems and be notified to any third parties the data was shared with.
Access reveals the recipients and retention period of data - but NOT the technical means of data storage. That detail is a classic distractor.