Do individuals have the right to access their personal information?
Data protective jurisdictions tend to guarantee the right of individuals to contact an organization directly and find out whether personal data is being tracked. Access procedures and acceptable exceptions (such as business secrecy) are determined by law and may be subject to the control of data protection authorities. In the context of HR, personal data access requests can include information tracked by the company as well as data tracked by third-party solutions, such as background check vendors.
Data subjects have the right to request and obtain confirmation as to whether their personal data is being processed. Where that is the case, individuals must be able to access their personal data and the following information:
- the purposes of the processing;
- the categories of personal data concerned;
- the recipients or categories of recipients to whom the personal data has been or will be disclosed, in particular recipients in third countries or international organizations;
- where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
- the existence of the right to: request rectification or erasure of personal data; request restriction of processing data concerning the data subject; or, to object to such processing;
- the right to lodge a complaint with a supervisory authority.
In Italy, the data subject’s access rights cannot be used to uncover the identity of a whistleblower.
Every person may directly request that the data be corrected, completed, clarified or erased. Requests can be sent directly to the data controller or to any other actor in the chain of processing. The processors and sub-processors have the obligation to inform the data controller of any request regarding a data subject and shall only proceed with the request under data controller’s instructions. Therefore, the processor shall, whenever possible, assist the data controller with data subjects’ requests.
As a general rule, the access request shall be provided free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, a reasonable fee may be charged. Fees should take into account the administrative cost of providing the information or taking the action requested.
Requests must be answered within one month of receipt of the request. Any delay should be justified and accompany the request response. The format of the response should be based on the means used to make the request, unless otherwise requested by the data subject. In other words, if a request is emailed, the response should be via email unless the individual requests a mailed letter.
Where the controller has reasonable doubts concerning the identity of the natural person making the request, the controller may request the provision of additional information necessary to confirm the identity of the data subject. However, a reasonable proof of identity is always recommended.
The Italian Supreme Court has stated that employees have the right to access their personal files (documents created relating to their position during employment). If access rights are violated, employees can lodge complaints to the Data Protection Authority. Note that every person may contact the relevant data protection authority within the European Economic Area to receive assistance in the exercise of his or rights (particularly if the right of access has been denied).
HR Best Practices: When processing an access request from an employee, make sure not to disclose information connected to other employees. Processors and sub-processors should establish official procedures and contacts for employee requests.