How to Demonstrate Compliance With GDPR Article 15

GDPR Compliance Software

Book a demo

group,of,happy,coworkers,discussing,in,conference,room

Article 15 deals with an organisation’s obligation to provide consistent, reliable and accurate information pertaining to their activities as a data controller.

The information that organisation’s provide to data subjects allows individuals to increase their awareness of how their data is being used, control how their data is being processed and shared, and ensure that their data is being handled lawfully.

GDPR Article 15 Legal Text

UK GDPR Version

Right of access by the data subject

  1. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
    • the purposes of the processing;
    • the categories of personal data concerned;
    • the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
    • where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
    • the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
    • the right to lodge a complaint with the Commissioner;
    • where the personal data are not collected from the data subject, any available information as to their source;
    • the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
  2. Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.
  3. The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.
  4. The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others.

EU GDPR Version

Right of access by the data subject

  1. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
    • the purposes of the processing;
    • the categories of personal data concerned;
    • the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
    • where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
    • the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
    • the right to lodge a complaint with a supervisory authority;
    • where the personal data are not collected from the data subject, any available information as to their source;
    • the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
  2. Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.
  3. The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.
  4. The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others.

We’re cost-effective and quick

Discover how that will boost your ROI
Get your quote

Technical Commentary

Article 15 contains three fundamental rights that are held by the data subject:

  1. the right of access (including the right to receive confirmation of processing and further information about the processing);
  2. the right to receive information about safeguards;
  3. the right to receive a copy of the personal data;

Article 15 also outlines some limits to the right of access (see above). Where such access infringes upon the rights and freedoms of others, organisations are able to refuse requests for copies of data.

Also, where such requests are deemed excessive or manifestly unfounded, organisations are able to charge a ‘reasonable fee’, to combat the repetitive nature of information requests.

ISO 27701 Clause 7.3.2 and EU GDPR Article 15

In this section we talk about GDPR Articles 15 (1)(a), 15 (1)(b), 15 (1)(c), 15 (1)(d), 15 (1)(e), 15 (1)(f), 15 (1)(g), 15 (1)(h) and 15 (2)

Organisations should outline a detailed set of requirements that govern how and when information is to be provided to PII principals.

Examples include:

  • the underlying purpose of the data that’s being collected and processed;
  • contact details;
  • how and where the PII was obtained;
  • contractual and/or statutory requirements;
  • how consent can be removed;
  • PII transfers;
  • how to log a complaint;
  • how the organisation makes decisions on the processing of PII;
  • information retention periods.

ISO 27701 Clause 7.3.8 and EU GDPR Article 15 (3) & (4)

Organisations need to provide copies of PII data in a user-friendly, easily accessible format.

Organisations should ensure that any information provided relates solely to the PII principal who requested it in the first instance.

If PII has been de-identified, then attempts should not be made to re-identify, unless the organisation is legally required to do so.

Organisations should also explore methods of transferring the PII directly to another organisation, if requested to do so.

See ISMS.online
in action

Book a tailored hands-on session
based on your needs and goals
Book your demo

Simple. Secure. Sustainable.

See our platform in action with a tailored hands-on session based on your needs and goals.

Book your demo
img

ISO 27701 Clause 7.3.9 and EU GDPR Article 15

In this section we talk about GDPR Articles 15 (1)(a), 15 (1)(b), 15 (1)(c), 15 (1)(d), 15 (1)(e), 15 (1)(f), 15 (1)(g), 15 (1)(h)

Requests can include a copy of the PII, or the registration of a complaint, and should be completed within a reasonable response time.

Organisations may also charge a handling fee, but this is usually limited to excessive or repetitive requests, and is dependant on the jurisdiction that the organisation is operating within.

ISO 27701 Clause 7.4.5 and EU GDPR Article 15 (2)

Organisations either need to either destroy any PII that no longer fulfils a purpose, or amend it in a way that prevents any form of principal identification.

ISO 27701 Clause 7.5.1 and EU GDPR Article 15 (2)

The need may arise to transfer PII between two distinct jurisdictions. When this occurs, organisations should justify and document the need for doing so.

Organisations should take all relevant laws, frameworks and regulations into account whenever they need to transfer data between jurisdictions. Organisations should also document the use of a designated supervisory authority, where relevant.

ISO 27701 Clause 8.3.1 and EU GDPR Article 15 (3)

Organisations need to ensure adequate means to fulfil their obligations, across three key areas:

  • legislation;
  • regulation;
  • contracts.

Index of Linked EU GDPR Articles and ISO 27701 Clauses

GDPR ArticleISO 27701 ClauseISO 27701 Supporting Clauses
EU GDPR Article 15 (1)(a) to 15 (2)ISO 27701 7.3.2None
EU GDPR Article 15 (3) and 15 (4)ISO 27701 7.3.8None
EU GDPR Article 15 (1)(a) to 15 (1)(h)ISO 27701 7.3.9None
EU GDPR Article 15 (2)ISO 27701 7.4.5None
EU GDPR Article 15 (2)ISO 27701 7.5.1None
EU GDPR Article 15 (3)ISO 27701 8.3.1None

How ISMS.online Helps

ISMS.online provide an environment that’s been pre-built for you to describe and demonstrate your approach to protecting your European and UK customer data that fits seamlessly into your management system.

GDPR is generally regarded as the toughest privacy and security regulation in the world, with breaches resulting in significant fines. It can be ambiguous and open to interpretation, suggesting that organisations must provide a ‘reasonable’ level of protection for personal data.

ISMS.online makes it easy for you to jump straight into your journey to GDPR compliance and to easily demonstrate level of protection that goes beyond ‘reasonable’, all in one secure location.

Find out how ISMS.online can help you demonstrate compliance with GDPR by booking a hands on demo.

Discover our platform

Book a tailored hands-on session
based on your needs and goals
Book your demo

Explore ISMS.online's platform with a self-guided tour - Start Now