An open book laying on a table

What is GDPR? Part 1 - Right to access

← Back to Blog
FAQ

GDPR is a set of European rules that will help people keep control of their data. It allows them to see what data is stored, where it is stored, and why it is stored. It also allows them to request access to their data and ask for it to be deleted. Certain parts of GDPR are very well known, such as the cookie pop-ups. But there is much more to it than that.

In this multi-part blog post, we'll dive into the different parts of GDPR and how it affects you.

EU

Each European country has its own version of the GDPR. But they are all based on the same rules. They are known by different names in different countries, but the rules are mostly the same.

List of names for GDPR:

  • GDPR (General Data Protection Regulation)
  • [NL] AVG (Algemene Verordening Gegevensbescherming)
  • [DE] DSGVO (Datenschutz-Grundverordnung)
  • [FR] RGPD (Règlement général sur la protection des données)
  • [ES] RGPD (Reglamento General de Protección de Datos)
  • [IT] GDPR (Regolamento generale sulla protezione dei dati)
  • [PT] RGPD (Regulamento Geral sobre a Proteção de Dados)
  • [PL] RODO (Rozporządzenie o Ochronie Danych Osobowych)
  • [CZ] GDPR (Nařízení o ochraně osobních údajů)

Inside and outside the EU

GDPR applies to ALL companies that hold data on EU citizens. So even if you're not based in the EU, you still need to comply with GDPR if you have customers in the EU.

So even if you're not an EU citizen, you'll probably still have to deal with GDPR in some way.

The GDPR is the largest set of data protection rules in the world. It is therefore likely that other countries will adopt similar rules in the future.

Basic rights

The GDPR is based on a few basic rights that every person on the Internet should have.

These rights are:

Because this is a very long and complicated list of rights, we will break this blog post into several parts. Each part will cover a different part of these rights.

Right to access

The right of access is the beginning of all the other rights in the GDPR. It requires you to tell people what data you hold about them, if any.

How does this work?

Any person (whether or not they are already a customer) can ask if they are a data subject. This means that they want to know if you have data about them. This request is called a Subject Access Request. You are required to respond to a subject access request within 30 days. You are also not allowed to charge a fee for processing this request.

The request must be answered with the following information:

  • Why you have this data
  • What types of data you have about them, categories of personal data
  • Who you share this data with
  • How long you plan on storing this data
  • Information about other GDPR rights, like right to erasure
  • Where you got this data from
  • Whether you use this data for automated decision making, which may include profiling
  • Whether you transfer this data outside the EU

All of this information needs to be presented in an open format that is easy to understand. This means that you cannot just send them a copy of your database. You need to provide it in a format that is easy to read and understand.

Can I charge a fee?

In most cases, you may not charge for this service. You may charge an administrative fee if you have multiple requests from the same user or if the data is large.

How much time do I have?

You are required to provide this information within 30 days. In some cases, you can request up to 2 months of additional time if your customer is requesting a lot of data.

Can I refuse?

In most cases, you cannot refuse a request. There are some cases where you can refuse to provide this information. For example, if the information contains trade secrets or if it contains information about other people.

What if I don't comply?

Failure to comply could result in a fine of up to 20 million euros or 4% of your annual turnover.

How can ToolHive help?

The law requires you to make a reasonable search for the information. ToolHive helps by providing a list of all your tools and the data they contain. This makes it easy to find the data you need to export.

Recap

  • People can ask if you have data about them
  • You must provide this information for free
  • You have 30 days to answer the request
  • Only if the person is asking about a lot of data, you can ask for an extension of 2 months
  • You must provide this information in an easy to understand format