Skip to content

The right to access refers to a person’s ability to request that a controller confirms whether it has personal data about them and to receive information about the processing and a copy of that information. While the GDPR confers a right of access, this right predates the GDPR and can be found within other EU laws. For example, the EU Chart of Fundamental Rights, adopted in 2000, states that “[e]veryone has the right of access to data which has been collected concerning him or her.”[1] The right of access is sometimes referred to an as absolute right in the context of the GDPR, because unlike some other rights conferred by the regulation which are dependent upon the lawful purpose of processing (e.g., the right of erasure), the right of access applies regardless of the lawful purpose relied upon by an organization.

When personal data is included in an artificial intelligence (AI) prompt it may, or may not, be stored after the AI has completed its task and returned a response to the prompt. If prompts are stored (e.g., logged or retained by the AI for continued fine-tuning or future training), prompts may need to be searched if an organization receives a GDPR access request; if a prompt that contains personal data about a requestor is identified, that prompt (or at least the personal data that was included within the prompt) may need to be provided. If, however, prompts are deleted shortly after they are submitted (and prior to the receipt of an access request), or if any personal data contained within a prompt would be redundant of other personal data stored by the organization and provided to the data subject, then prompts would not need to be searched in response to an access request. 

[1] EU Charter of Fundamental Rights at Article 8(2).