When responding to a data subject access request under the EU General Data Protection Regulation (GDPR) you must disclose all the relevant personal data you hold and provide all information required by Article 15 of GDPR – all in a clear, easy-to-understand way. A new complaint by public interest organization NOYB against media streaming services shines a spotlight on this GDPR right:
To comply with the right to access, controllers must disclose all data they hold and which could render the individual identifiable, including cookies, online identifiers, tracking technologies, beacons, IP addresses, pixels tags or device identifiers. You must disclose:
- purpose
- categories
- recipients
- retention
- sources (if not the individual)
- transfers outside the EU
- the individual’s right to right to request rectification, restriction of or objection to processing
- the individual’s right to lodge a complaint
- the existence of automated processing / profiling
You must provide the information in a manner clearly readable by the average consumer. Machine readable format will not suffice without also providing an explanation, software or other means to make the data readable and understandable.