The right of access grants individuals(data subjects)the right to obtain a copy of their personal data and other supplementary information from a Data Controller or Data Processor. However, this right is not absolute and the GDPR allows EU Member States to introduce restrictions to this fundamental right through their own national legislation.
Exemptions allow Data Controllers and Data Processors to refuse to provide wholly or in part the information requested by the Data Subject.
Under Maltese law (S.L 586.09) a number of exemptions were introduced each having their own distinct application. Whilst certain exemptions find application due to the nature of the personal data in question, others apply because of the prejudice which may be caused by allowing a right of access to certain information.
Hence why, it is very important that exemptions are not applied in a blanket fashion and consideration should be given to each data subject access request on a case-by-case basis. Controllers and processors of data need to ensure strict compliance with the law and adherence with the principle of accountability by also having strong documented justifications when relying on such exemptions.
When an exemption is applied, controllers and processors of data have an obligation to inform the data subjects of the reasons why such exemption was applied and of their right to file a complaint with the IDPC and the facility to seek judicial redress against such a decision.
Whenever possible, controllers and processors of data need to be transparent about the reasons why an exemption was applied, however, in exceptional circumstances in which they are in a position to prove that by being transparent about the reasons why an exemption was applied they would prejudice the purpose of such exemption, their response may be more general.
A breach of the right of access may attract heavy administrative fines besides exposing controllers and processors of data to a claim for damages (including moral) by the data subject.