Right of Access Under GDPR (Article 15) Explained

The right of access GDPR grants under Article 15 is one of the most significant data subject rights in the regulation. It empowers individuals to find out whether an organization processes their personal data, to obtain a copy of that data, and to receive detailed supplementary information about how and why the processing takes place. For organizations operating in the European Economic Area, understanding and operationalizing this right is a legal obligation with substantial enforcement consequences.

According to the European Data Protection Board, access requests represented approximately 36% of all complaints lodged with national supervisory authorities across the EU. The ICO’s enforcement tracker confirms a parallel trend in the United Kingdom, with access-related complaints increasing steadily year over year. These figures underscore a critical reality: individuals are exercising their right of access GDPR provides with growing frequency, and organizations that cannot respond properly face both regulatory and reputational consequences.

This guide explains the scope of the right, what information must be disclosed, how to build a compliant response process, and the consequences of getting it wrong.

What Does the Right of Access Cover Under Article 15?

The right of access under Article 15 of the GDPR is broader than many organizations realize. It is not limited to handing over a database extract. The data subject is entitled to confirmation of whether their personal data is being processed and, where it is, to receive all of the following:

• A copy of the personal data undergoing processing
• The purposes of the processing and the categories of personal data concerned
• The recipients or categories of recipients to whom data has been or will be disclosed
• The envisaged period for which the data will be stored, or the criteria used to determine that period
• The existence of the right to request rectification, erasure, or restriction, and to object to processing
• The right to lodge a complaint with a supervisory authority
• Where data was not collected from the data subject, all available information about the source
• The existence of automated decision-making, including profiling, with meaningful information about the logic involved

This list is exhaustive and mandatory. The EDPB’s Guidelines on the Right of Access clarify that controllers must proactively provide all of the above alongside any copy of personal data, rather than waiting for the individual to specifically request each element.

In practical terms, the right of access GDPR establishes in Article 15 is the legal basis for what organizations commonly call a data subject access request (DSAR). Every DSAR is an exercise of the right of access. Article 15 defines the full scope of obligations — not just producing the data, but providing all the supplementary information listed above. An organization that delivers a data export without the accompanying contextual information has not fully complied.

Regarding format, Article 15(3) states that where the request is made by electronic means, the information must be provided in a commonly used electronic format. This does not mean the data must arrive in a structured machine-readable format — that obligation belongs to the right to data portability under Article 20. However, the response must be concise, transparent, and use clear, plain language as required by Article 12(1).

Building a Compliant Response Process

A reliable internal process is essential for handling the right of access GDPR requires. A 2024 IAPP-EY Governance Report found that 58% of organizations still lack a fully automated workflow for responding to access requests, leading to delayed or incomplete responses. The following framework, grounded in core data privacy principles, provides a structured approach.

Acknowledge the Request and Verify Identity

Upon receiving a request, log it immediately. Accurate record-keeping is a requirement of the accountability principle. Before disclosing any personal data, verify the requester’s identity under Article 12(6). The verification measures must be proportionate — a controller should not demand a passport copy when an account login would suffice. Recital 64 emphasizes that controllers should use all reasonable measures to verify identity, especially in an online context.

Locate All Relevant Data

Conduct a comprehensive search across every system where the requester’s personal data may reside. This includes CRM databases, email servers, HR systems, marketing platforms, backup archives, and data held by any data processor acting on your behalf. Article 28(3)(e) requires processors to assist the controller in responding to data subject requests, so ensure your processing agreements include this obligation.

Organizations with fragmented data environments frequently struggle at this stage. A Cisco Data Privacy Benchmark Study found that the average enterprise stores personal data across more than a hundred distinct applications and services. Without a current record of processing activities, locating all relevant data within the statutory timeframe becomes extremely difficult.

Review, Redact, and Respond

Before disclosure, review the retrieved data to ensure it does not contain the personal data of third parties. Where information about other individuals is intertwined with the requester’s data, redaction is typically necessary. The response must be delivered without undue delay and within one calendar month of receipt. Under Article 12(3), this deadline may be extended by up to two additional months for complex requests, provided the data subject is informed of the delay within the initial period.

The first copy must be provided free of charge. Article 15(3) permits controllers to charge a reasonable fee for any further copies. Under Article 12(5), if a request is manifestly unfounded or excessive, the controller may charge a reasonable fee or refuse to act — though the burden of demonstrating the manifestly unfounded or excessive character falls on the controller.

What Are the Consequences of Non-Compliance?

Failing to honor the right of access GDPR mandates carries significant penalties. Under Article 83(5)(b), infringement of data subject rights can result in administrative fines of up to 20 million EUR or 4% of annual global turnover, whichever is higher. Enforcement in this area is active and increasing. The Italian supervisory authority (Garante) has fined organizations for systematic failures in responding to access requests, and the Spanish AEPD issued over 400 decisions related to access rights in a single year.

Beyond fines, non-compliance often triggers a cascade of further problems. An unresolved access request can escalate into a formal complaint, a supervisory authority investigation, and ultimately an enforcement order. Where an organization has experienced a data breach, access requests frequently surge as affected individuals seek to understand the extent of exposure. Failing to respond during that critical period compounds both regulatory and reputational damage.

The right of access also interacts closely with other data subject rights. An individual who receives their data under Article 15 may subsequently exercise their right to erasure under Article 17 or request rectification under Article 16. Building an integrated process for managing all data subject rights — overseen by a qualified Data Protection Officer — is the most effective way to manage these interdependent obligations.

Restrictions and Exemptions to the Right of Access

Article 15 is not absolute. Article 23 of the GDPR permits EU Member States to restrict the scope of the right of access through legislative measures where the restriction is necessary and proportionate to safeguard specific objectives, including national security, defense, public security, and the prevention or prosecution of criminal offenses.

At the controller level, Article 15(4) provides that the right to obtain a copy of personal data must not adversely affect the rights and freedoms of others. This is the basis for redacting third-party data from responses. Recital 63 further specifies that the right of access should not adversely affect trade secrets or intellectual property.

In practice, these exemptions are narrow and must be applied on a case-by-case basis. A blanket refusal to comply with an access request on the basis of trade secrets, without a specific assessment, would not withstand regulatory scrutiny.

FAQ

How long does an organization have to respond to a right of access request?

The controller must respond within one calendar month of receiving the request. This period may be extended by up to two additional months where the request is complex or multiple requests are received, but the data subject must be informed of the extension within the initial one-month window.

Is the right of access available to non-EU residents?

The GDPR applies based on the location of the data subject at the time of data collection, not their nationality or residence. If an organization processes personal data in the context of offering goods or services to individuals in the EEA, or monitors the behavior of individuals in the EEA, then those individuals can exercise the right of access regardless of their citizenship.

Can an organization charge for providing access to personal data?

The first copy must be provided free of charge. For additional copies, the controller may charge a reasonable fee reflecting administrative costs. If the request is manifestly unfounded or excessive, the controller may either charge a reasonable fee or refuse to act entirely — but must be able to demonstrate why the request meets that threshold.

What should a data subject do if their access request is denied?

The data subject may lodge a complaint with the relevant supervisory authority in their Member State. They also have the right to an effective judicial remedy under Article 79 of the GDPR. The controller is required to inform the data subject of these options in any refusal notice.