The law does not specify the form in which the Right to Inspection must be implemented. Therefore, we provide guidance on how to comply with your duties as a data controller.
A) If a data subject only wants information about the processing operations, provide at least the following information:
What types of personal data you process about the data subject and why you do so (basis);
From which organization(s) you receive personal data if not given to you directly from the data subject and to which organizations you transfer the personal data (also consider transfers outside the EEA), if applicable;
What the retention periods are;
What privacy rights data subjects have;
Always inform a data subject that they have the right to file a complaint with the Personal Data Authority;
What logic you apply to an automated decision (if any).
B) If a data subject wants a copy of their personal data, that is also form-free. The AP recommends the following 2 ways:
You make a record of all personal data you process about the data subject.
You will make a copy of all documents on which the data subject's personal information appears.
When providing a copy in any of these ways, it is also important that in addition you provide the information mentioned in A.
Thus, it is not mandatory to always physically copy and provide all records to data subjects, but it may be done. This depends very much on the data subject's request and the scope of the inspection request.
Source: DMCC
