Article 15 states that data controllers must confirm to data subjects whether their personal data is being processed, and, where it is, provide them with a copy of that personal data (providing it does not adversely affect the rights and freedoms of others).
They must also state:
- The purposes of the processing;
- The categories of personal data involved;
- The recipients (or categories of recipients) to whom the personal data has been or will be disclosed;
- The envisaged period for which the personal data will be stored (or, if this is not possible, the criteria used to determine that period);
- The existence of the right to request that the controller rectify or erase the personal data or restrict processing, or to object to processing;
- The right to lodge a complaint with a supervisory authority;
- Where the personal data has not been collected direct from the data subject, any available information about its source; and
- The existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and the envisaged consequences for the data subject of such processing.
Data controllers must respond to data subject access requests within one month of receiving them.