Article 15 of the General Data Protection Regulation (GDPR) states that data subjects have the right to obtain confirmation from data controllers as to whether or not their personal are being processed, what data is being processed, the purposes of the processing, how long the data will be stored for, and who has access to the data. Where the personal data are not collected from the data subject, the controller has to provide any available information as to their source.
Data controllers are also obligated to provide secure, direct access for data subjects to review what information is stored about them. If the data is incorrect or incomplete, data subjects must also be allowed to rectify the data. Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards relating to the transfer.
According to the GDPR, data subjects can ask for access to their personal data at "reasonable intervals", and controllers must generally respond within one month.
This means that under the GDPR, data controllers and processors are required to be transparent about how they collect people’s personal data, what they do with it and how they process it. And when required, they must provide the required information in clear, easy to understand and accurate manner.