Art. 15 GDPR grants the data subject a right of access in relation to the controller. Under this provision, the data subject may require the controller to provide a confirmation by means of which information must be made available as to whether or not personal data concerning him or her are being processed.
If the controller processes the personal data of the data subject, information about the personal data, the purposes of the processing, the categories of the personal data concerned, the recipients or categories of recipients to whom the personal data have been or will be disclosed as well as, where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period and the existence of the rights to rectification, erasure, restriction of processing or a right to object and the existence of the right to lodge a complaint with the supervisory authority shall be provided.
Where the personal data are not collected from the data subject, any available information as to their source shall be disclosed. In the case of automated decision-making, including profiling according to Art. 22 (1) and (4) GDPR, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject shall be communicated.
Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Art. 46 GDPR relating to the transfer. In addition, the controller shall provide a copy of the personal data undergoing processing.