Article 15 deals with an organisation’s obligation to provide consistent, reliable and accurate information pertaining to their activities as a data controller.
The information that organisation’s provide to data subjects allows individuals to increase their awareness of how their data is being used, control how their data is being processed and shared, and ensure that their data is being handled lawfully.
Right of access by the data subject
Right of access by the data subject
Article 15 contains three fundamental rights that are held by the data subject:
Article 15 also outlines some limits to the right of access (see above). Where such access infringes upon the rights and freedoms of others, organisations are able to refuse requests for copies of data.
Also, where such requests are deemed excessive or manifestly unfounded, organisations are able to charge a ‘reasonable fee’, to combat the repetitive nature of information requests.
In this section we talk about GDPR Articles 15 (1)(a), 15 (1)(b), 15 (1)(c), 15 (1)(d), 15 (1)(e), 15 (1)(f), 15 (1)(g), 15 (1)(h) and 15 (2)
Organisations should outline a detailed set of requirements that govern how and when information is to be provided to PII principals.
Examples include:
Organisations need to provide copies of PII data in a user-friendly, easily accessible format.
Organisations should ensure that any information provided relates solely to the PII principal who requested it in the first instance.
If PII has been de-identified, then attempts should not be made to re-identify, unless the organisation is legally required to do so.
Organisations should also explore methods of transferring the PII directly to another organisation, if requested to do so.
Book a tailored hands-on session
based on your needs and goals
Book your demo
In this section we talk about GDPR Articles 15 (1)(a), 15 (1)(b), 15 (1)(c), 15 (1)(d), 15 (1)(e), 15 (1)(f), 15 (1)(g), 15 (1)(h)
Requests can include a copy of the PII, or the registration of a complaint, and should be completed within a reasonable response time.
Organisations may also charge a handling fee, but this is usually limited to excessive or repetitive requests, and is dependant on the jurisdiction that the organisation is operating within.
Organisations either need to either destroy any PII that no longer fulfils a purpose, or amend it in a way that prevents any form of principal identification.
The need may arise to transfer PII between two distinct jurisdictions. When this occurs, organisations should justify and document the need for doing so.
Organisations should take all relevant laws, frameworks and regulations into account whenever they need to transfer data between jurisdictions. Organisations should also document the use of a designated supervisory authority, where relevant.
Organisations need to ensure adequate means to fulfil their obligations, across three key areas:
GDPR Article | ISO 27701 Clause | ISO 27701 Supporting Clauses |
---|---|---|
EU GDPR Article 15 (1)(a) to 15 (2) | ISO 27701 7.3.2 | None |
EU GDPR Article 15 (3) and 15 (4) | ISO 27701 7.3.8 | None |
EU GDPR Article 15 (1)(a) to 15 (1)(h) | ISO 27701 7.3.9 | None |
EU GDPR Article 15 (2) | ISO 27701 7.4.5 | None |
EU GDPR Article 15 (2) | ISO 27701 7.5.1 | None |
EU GDPR Article 15 (3) | ISO 27701 8.3.1 | None |
ISMS.online provide an environment that’s been pre-built for you to describe and demonstrate your approach to protecting your European and UK customer data that fits seamlessly into your management system.
GDPR is generally regarded as the toughest privacy and security regulation in the world, with breaches resulting in significant fines. It can be ambiguous and open to interpretation, suggesting that organisations must provide a ‘reasonable’ level of protection for personal data.
ISMS.online makes it easy for you to jump straight into your journey to GDPR compliance and to easily demonstrate level of protection that goes beyond ‘reasonable’, all in one secure location.
Find out how ISMS.online can help you demonstrate compliance with GDPR by booking a hands on demo.
Book a 30 minute chat with us and we’ll show you how