The controller's obligations

In order for data subjects to check the processing of their personal data, the Privacy Act provides for an access right, linked to a right of communication.

 Very concretely, as a controller it is compuslory for you to communicate the following information when data subjects exerices their access right:

  • whether data about them are processed or not;
  • the purpose for which the data are processed; 
  • the nature of the data;
  • the origin of the data;
  • the categories of recipients to whom the data are provided.

As a controllers you must also provide the data processed in an understandable form.

The access right does not necessarily imply that you hand over the file containing the personal data to data subjects, or that they must be able to see them on your computer screen, nor do you have to give data subjects a copy of the data processed. In other words it is suffient for the data to be communicated. How you do this is up to you.

Exercising the access right is free of charge.

In order to exercise their access right data subjects must address a request to you proving their identity, which means that the best thing to do is add a copy of their identity card to the request.
Morevoer, the request needs to meet a number of formal requirements. Pursuant to the Privacy Act a data and signed request is necessary. Data subjects must send you the request by letter or using a means of telecommunication (e.g. fax or e-mail with electronic signature), but they can also hand it over in person.

If these conditions have been met, you must communicate the requested and available information about the data processed relating to the data subject, at the latest 45 days after receiving the request.

If you do not react or refuse, or if your answer is inadequate, data subjects can always address the Authority which will try to have their right respected in the context of its power of mediation.