The right of access is designed to give people more control over their personal data. It also allows them to check that you are following the rules.
Do you receive a request for inspection? If so, you must provide the following information:
A copy of the personal data a person wants to see;
processing information.
Copy of personal data
Would someone like to inspect all the personal data you have on him/her? Then, in principle, he/she has the right to do so. Including personal data from e-mails, any recorded telephone conversations and any correspondence you may have had with third parties about him/her.
But it is also possible that someone only wants more information about the processing (see below). Or that someone only wants access to part of the personal data. For example, to check whether you have not recorded an unnecessarily large amount of personal data in his/her personal file.
Information about processing
When requesting access, you must also let the data subject know:
Why you process certain data.
What types of personal data you collect.
if applicable, to which organizations you transfer the personal data. This also applies to data you transfer to organizations in other countries or to international organizations.
How long you keep the personal data. If you cannot specify exactly, you should be able to clarify the criteria you use to determine a retention period.
what privacy rights people have: the right to have their personal data amended, supplemented or deleted, to ask you to process less personal data, and to object if you process their personal data.
That people have the right to file a complaint with the Autoriteit Persoonsgegevens.
if applicable, from which organization you received personal data if you did not collect it yourself from the individuals involved.
If applicable: based on what logic you make an automated decision about someone.
Much of this information is probably already in your privacy statement.
