CNIL: Data subject access request

Homepage | News

The right of access

The right of access is reinforced by the GDPR.

The controller must:

  • Inform the persons concerned about the existence of their right of access;
  • Give access to the data subject by effective means (form, contact details), so that they easily exercise their right of access;
  • Establish internal procedures for processing access requests;
  • Provide comprehensible, accessible procedures to the data subjects;

This right may be exercised by the data subject or by his proxy.

To exercise his rights, the applicant must prove his identity. This proof can be provided through different means. Thus, it is not necessary to attach a photocopy of an identity document when exercising a right if the identity of the person has been sufficiently established.

However, if the controller has a “reasonable doubt” as to the identity of the requester, he or she may ask him / her to attach any other document proving his or her identity. 

According to Article 12 (3) of the GDPR, the controller shall, without undue delay and in any event within one month of the receipt of the request, provide the requester with information on the action taken. However, there is a possibility to extend the deadline by two further months, “given the complexity and the number of requests”, provided that the person concerned is informed within one month of receiving the request.

The CNIL has also specified the means of communicating the data. Requests can be made on site or in writing (postal or electronic).

The CNIL also indicated that if the controller does not take action on the request of the data subject, the controller shall inform the data subject, without delay and at the latest within one month of receipt of the request, of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.