Article 15 of GDPR gives a person the right to know what data pertaining to him or her a company holds and how it has been processed, and for what purposes this data processing has been carried out. Likewise, a person has the right to know which recipients their personal data has been or will be disclosed to. Finally, information must also be provided about the planned duration of data storage or the criteria for determining this duration. The company does not have an arbitrary amount of time to find this data either. The information needs to be provided within one month.
Companies often underestimate the ease and speed with which they can locate all the data stored about the person in question. The problem is that this information is often not stored in a single format in databases, but rather in unstructured form in e-mails, text documents or presentations. This means it can appear impossible to ensure that all the places where data about a person is stored by a company have actually been identified. As a result, the company is unable to meet the requirements of GDPR and risks consequences from the responsible data protection authorities.