Date: March 03, 2022
Modified November 14, 2023
Written by: Sander Poelman
Reading time: +/- 2 minutes
Since May 25, 2018, the General Data Protection Regulation (AVG) has been in effect in the Netherlands. The purpose of the AVG is to protect personal data. A personal data is any information that can be traced back to a natural person. The AVG offers the person to whom the personal data belongs the right of inspection. That person can inspect his personal data with the person responsible for processing his data. The latter is then the data controller.
Many companies are data controllers and therefore face requests for access to personal data. As a company, do you always have to comply with such a request for inspection?
The processing of personal data must be done lawfully, properly and transparently. Part of this is that the data subject (the person whose personal data are being processed) has the right to access his personal data. In practice, the data subject is entitled to the following.
First and foremost, the data subject has the right to obtain information as to whether or not his data are being processed. If so, he also has the right to additional information, such as:
In addition, the data subject must be informed of his right to have the data deleted, or rectified. Internal and external complaint procedures must also be made clear to him. All of this information must become clear from the perusal to which a data subject is entitled.
The right of inspection is thus a very far-reaching right. It offers the data subject the opportunity to check the lawfulness of the processing of his data. For companies, this means extra work.
The person responsible for processing provides the data subject with a copy of the personal data. This does not mean that the person is entitled to the document containing those personal data. The person responsible is expected to allow inspection as much as possible electronically. In this way, the data can be viewed directly and easily by the data subject. This can be done, for example, by sending an e-mail with a copy or an overview of the data.
No charge may be made for inspection. If the data subject requests more than one copy of their personal data, a fee may be charged for the additional copies. This is then a reasonable compensation for the administrative costs. This does not include repeated requests for the same data. No costs may be charged for this.
The right of inspection, as mentioned, is far-reaching, but it also has limits. A company does not always have to grant a request. The following exceptions apply.
The purpose of the right of inspection is to give a data subject insight into his personal data. In this way he can check whether they are correct and processed lawfully. If the right of inspection is used for a different purpose, it may be an abuse of rights. If a data subject also has other interests, there is no question of an abuse of rights.
Recently, the court ruled that the right of inspection cannot be used to access a trial file of a lawsuit to which the individual is not a party. Court files are not public. The right of inspection cannot be used to gain access to such a file.
The Dutch implementation law of the AVG also provides general grounds for refusal of a search request. These include matters related to national security and protection of the rule of law. The protection of the rights and freedoms of others can also be a ground for refusing a request for inspection. To do so, however, the request must be so disproportionate that those rights and freedoms are affected. This will not happen quickly.
The right to obtain a copy of personal data should not interfere with the rights and freedoms of others. For example, to the extent that a copy of personal data contains confidential information, it need not be provided. Patent or copyright, for example, may also prevent the provision of a copy. However, it must always be considered to what extent the personal data can be provided. If necessary, confidential data can be removed or deleted.
The right of inspection is a far-reaching right of a data subject. The data subject must be able to check whether their personal data are being processed and, if so, whether this is done correctly and lawfully. It is difficult for you as the company responsible for processing to refuse a request to that effect. Exceptions are possible, but they will not occur often.
Are you unsure if you can refuse a request for access or do you have other questions about personal data or the AVG? If so, please feel free to contact our experts in the Privacy team. We will be happy to help you further.
As attorneys for business owners , we understand the importance of staying ahead. Together with us, you will have all the opportunities and risks in sight. Feel free to contact us and get personalized information about our services.