This year, the Autoriteit Persoonsgegevens (AP) will join with other European privacy regulators to investigate the extent to which organizations comply with the rules on the right of access. In the coming period, the AP will audit companies and governments in the Netherlands. The investigation is a joint project of the European privacy regulators, united in the European Data Protection Board (EDPB).
People have the right to access (1) the personal data that organizations process about them (2). This right is intended to give people more control over their personal data. It also allows them to check that organizations are following the rules when processing their data. When someone requests access to an organization, the organization must not be secretive about what data the organization has on this person, where it came from and what happens to it.
Once people have had access to their data, they can use their other privacy rights (3). For example, they can ask the organization to change their data if it is incorrect. Or to delete their data, for example, if the organization is using it in violation of the law.
In practice, things regularly go wrong when people want to access their data. The AP often receives complaints about this. For example, about organizations that do not respond or respond too late to a request for access.
In the coming period, the AP will approach various organizations with a questionnaire. The approach is to explore how organizations shape the right to access in practice. If the answers reveal possible violations, the AP can investigate them further and enforce them where necessary.
The EDPB will compile and report results from all participating countries.
(1) https://www.autoriteitpersoonsgegevens.nl/themas/basis-avg/privacyrechten-avg/recht-op-inzage
(2) https://www.autoriteitpersoonsgegevens.nl/themas/basis-avg/privacy-en-persoonsgegevens/verwerken-van-persoonsgegevens
(3) https://www.autoriteitpersoonsgegevens.nl/themas/basis-avg/privacyrechten-avg
