Right of access
The right of access under Art. 15 GDPR entitles data subjects to obtain confirmation that their personal data is being processed, a copy of that data and a range of accompanying information from the controller.
The right of access is one of the core data subject rights under the General Data Protection Regulation and is set out in Art. 15 GDPR. It comprises three components: the right to obtain confirmation as to whether or not personal data concerning the data subject is being processed, the right to access that data itself, and a set of accompanying mandatory information. The right of access therefore gives the data subject transparency about what a controller knows about them and forms the basis for exercising further rights such as rectification, erasure or objection.
The information to be provided under Art. 15(1) GDPR includes, among other things, the purposes of the processing, the categories of personal data concerned, the recipients or categories of recipients, the envisaged storage period or the criteria used to determine it, the existence of the rights to rectification, erasure, restriction and objection, the right to lodge a complaint with a supervisory authority, the source of the data where it was not collected directly, and the existence of automated decision-making including profiling. Where data is transferred to a third country, information about the appropriate safeguards under Art. 46 GDPR must also be supplied. In addition, the data subject is entitled under Art. 15(3) GDPR to a copy of the personal data undergoing processing.
As a rule, the controller must comply with the request free of charge and without undue delay, and at the latest within one month of receipt; this period may be extended by a further two months for complex or numerous requests. Before providing access, the controller must verify the requester's identity by proportionate means in order to prevent unauthorised disclosure. The information provided must also not adversely affect the rights and freedoms of others, which means that trade secrets or third-party data may need to be redacted in individual cases. Where requests are manifestly unfounded or excessive, the controller may charge a reasonable fee or refuse to act, bearing the burden of proof for this.
Legal Basis
Art. 15 GDPR; Art. 12 GDPR (modalities and time limits)
Practical Example
A former employee asks their previous employer for access to all data stored about them. The data protection coordinator gathers the information from the personnel file, payroll, email archive and access-control system, compiles a structured response covering purposes, recipients and retention periods, and provides a copy of the data. Before sending it out, they verify the requester's identity and redact personal data of other employees contained in individual emails in order to safeguard their rights. The complete response is sent within the one-month deadline and documented for accountability purposes.