The General Data Protection Regulation is a device that protects the personal data of individuals. Companies in the field of data processing, whether they are data controllers or subcontractors, are required to comply with this regulation. Find out in our article about the data controller’s obligation of transparency.
The available means of information
Data subjects are the persons whose data is collected and processed. The obligation of transparency implies that the data subjects have the right to request information from the data controller. The latter must comply with several conditions imposed by the Regulation. In principle, the information must be concise, comprehensible, accessible, clear and simple. The provision of information is made at the request of the data subject. The request may be made by electronic means. In this case, the information shall be provided by electronic means. However, it may be provided in writing. Oral communication is also possible.
Time limits to be respected by the controller
The controller must provide the information within one month. It runs from the date of receipt of the request. This period may be extended due to multiple requests. It is limited to a period of two months, but the controller must inform the data subject of the reasons for the extension. The controller has the right not to comply with the data subject’s request. It must notify the data subject of the reasons for its inaction within one month. Thus, this refusal entitles the applicant to appeal to the court or the administrative supervisory authority.
Questions relating to the costs of providing information
The information provided is free of charge except in specific cases provided for in the Regulations. This applies to unfounded, excessive or repetitive requests from data subjects. In such situations, the controller may request payment of a reasonable sum or refuse to provide the information. The information to be provided is already provided for in the Regulation. The right to information GDPR differentiates between the information to be provided if the data are collected from the data subjects or other persons. The law also sets out further information to be provided if the controller intends to further process the data.