Right to Inspection/access
Questions on Access
In principle, citizens have the right of inspection all their personal data.
Response period: within four weeks by letter or e-mail.
Exception: eight weeks if complex and/or multiple requests made to the same organization. If more time is required, the organization must notify you within four weeks that it is going to take longer and why.
When a request for inspection is made, the organization must first verify the identity of the person making the request. This can be done in several ways. Most of the time, the organization will not be allowed to ask for a copy of the person’s ID, unless it indicates that this is indispensable for the verification.
Condition: The organization must offer a guaranteed secure way of conveying the verification document
What can be checked by means of an inspection request?
Persons making such a request must be able to check that their data are correct and/or if the organization has processed the data correctly. This includes learning with whom the organization shares the data and for what purpose.
What information should requesters receive?
- A copy of their personal data or
- A full overview
- Additional information such as:
- For what purposes the data is used.
- The type of data being used.
- With whom the data is shared.
- Any transfers of their personal data outside Bonaire, Sint Eustatius and Saba.
- The retention period of the personal data.
- What privacy rights the requester has.
- How the organization obtains the personal data.
- Whether the organization makes automated decisions about people, including profiling.
What if any of the data are incorrect?
If any of the data are incorrect or are being used unlawfully, the requester may ask for these to be corrected or removed.
Is an organization allowed to deny an inspection request?
- Sometimes, but only in very exceptional cases (for instance, if a disproportionate number of requests is being made). The Law also mentions other cases in which an organization may deny an access request.
- If an access request would result in an extremely high administrative burden for the organization, then, in exceptional cases the access request may also be denied.
In some cases, an organization may refuse a requester access to his or her personal data. For example, if this is necessary in the interests of:
- the security of the state;
- the prevention, detection and prosecution of acts punishable by law;
- serious economic and financial interests of the state or other public bodies;
- supervision of compliance with statutory provisions imposed for the interests referred to under b and c, or
- the protection of the person concerned or of the rights and freedoms of others.
Partial denial of access
The organization may partially deny an access request, for instance, to protect information contained in the file which pertains to someone else.
Arguments for denial
The organization must be able to show that it has carefully weighed the interests of all parties involved.