Article 15 GDPR: The Right of Access Explained

The right of access under Article 15 GDPR gives every individual the power to find out what personal data any organisation holds about them and to receive a copy. This right applies whether you are a customer, employee, website visitor, or anyone else whose data is being processed.

Key Takeaways

• Article 15 applies to personal data regardless of format, including databases, emails, CCTV footage, and paper files; access to backup systems depends on whether the data can be retrieved and provided without disproportionate effort.

• Controllers must respond within one month; complex cases allow a two-month extension, but the data subject must be notified within the first month.

• The first copy of personal data must be provided free of charge, although a reasonable fee may be charged for additional copies or for requests that are manifestly unfounded or excessive.

• Identity verification is permitted but must remain proportionate; it cannot be used as a barrier to exercising access rights.

• Supervisory authorities treat missed deadlines and partial responses as indicators of systemic non-compliance.

Article 15 sits within Chapter III of the GDPR, which covers all data subject rights. Transparency obligations under Articles 13 and 14 tell people what will happen with their data; Article 15 lets them verify what actually happened.

What Is Article 15 GDPR?

Article 15 gives every individual the right to confirm whether their personal data is being processed and, if so, to receive a copy along with specific supplementary information.

The provision establishes a transparency mechanism. Individuals cannot exercise meaningful control over their personal data if they do not know what is being collected or how it is being used. Article 15 addresses this by requiring data controllers to be open about their processing activities.

The scope covers personal data regardless of how or where it is stored. Paper files, databases, emails, and CCTV footage can all fall within the right of access, while backup systems may also be in scope where personal data can be retrieved from them.

How Do You Make an Article 15 Request?

A subject access request can be submitted through any channel: email, letter, online form, or verbal request and no specific form is required.

To speed up processing, it helps to state clearly that you are making a subject access request under Article 15 GDPR, provide enough information to confirm your identity, and specify which personal data you want if the request relates to particular records.

Identity verification is legitimate, but controllers cannot demand excessive documentation. Proportionate verification might include confirming an email address or account details, providing a copy of ID with irrelevant details redacted, or answering security questions linked to an existing account.

If a controller asks you to narrow your request, you are not obliged to do so. Cooperating can lead to faster, more relevant information, but narrowing is a choice, not a requirement.

How Must Controllers Respond to Article 15 Requests?

Controllers must reply without undue delay and within one month, providing a copy of all personal data being processed along with the supplementary information set out in Article 15(1).

The response must confirm whether personal data is being processed and, where it is, provide a copy of that data along with the purposes of processing, the categories of data concerned, any recipients, retention periods, and information about the data subject’s other rights.

Where a request arrives electronically, the response should be provided in a commonly used electronic format unless the data subject requests otherwise. Controllers must maintain documentation showing when requests were received, what verification steps were taken, what was searched, and the legal basis for any partial refusals.

What Are the Response Timeline Requirements?

The standard deadline is one month from receipt of the request; for complex requests or multiple requests from the same individual, an extension of up to two additional months is permitted, provided the data subject is informed within the first month.

The one-month period generally begins when the controller receives the request, although the response period may be paused while the controller seeks additional information needed to confirm identity. For complex requests involving large volumes of data, multiple systems, or extensive redaction, the deadline can be extended.

When extending, the controller must notify the data subject before the original one-month deadline expires and explain why the extension is necessary. Missed deadlines expose controllers to complaints and enforcement action. Supervisory authorities treat timeline failures as signs of wider systemic problems.

What Fees Can Controllers Charge for Article 15 Requests?

The first copy of personal data must be provided free of charge; fees may apply to additional copies, or where a request is manifestly unfounded or excessive, the controller may either charge a reasonable fee or refuse to act on the request.

What makes a request manifestly unfounded or excessive? Factors include repetitive requests with no change in circumstances, requests designed to cause disruption, and demands that substantially overlap with those that have recently been fulfilled. Fee calculations should reflect actual administrative costs; they cannot be set at a level designed to discourage requests.

What Format and Delivery Standards Apply?

Responses to electronic requests should normally be provided electronically in a commonly used format, and delivery must always be secure to prevent personal data from reaching the wrong person.

Commonly used formats include PDF documents, CSV files for structured data, and ZIP archives for larger collections. Data subjects can specify a preferred format, and controllers should accommodate reasonable preferences, though they are not required to convert data into formats they do not normally use.

Secure delivery methods include encrypted email attachments, authenticated download portals, password-protected files with passwords sent separately, and physical delivery by registered post for paper documents. Sending personal data to the wrong person constitutes a data breach.

What Are the Limits and Exceptions to Article 15?

Access rights are not absolute; controllers can restrict or redact disclosure where it would affect third parties’ rights, reveal trade secrets, or where national law creates specific exemptions.

Article 15(4) specifies that the provision of copies cannot adversely affect the rights and freedoms of others. Where personal data includes information about other identifiable individuals, controllers may need to redact that information unless the third party consents or disclosure is reasonable in the circumstances.

• Trade secrets and intellectual property: proprietary information may be protected in some cases, but this does not automatically remove a controller’s obligation to provide the personal data and other information required by GDPR.

• Legal professional privilege: communications with lawyers about legal advice may be withheld.

• National security and law enforcement: member states can restrict access rights through specific legislation for crime prevention and public security.

Complete refusals are rarely justified. Redaction and partial provision should be the default approach when limitations apply.

What Are the Best Practices for Article 15 Compliance?

Effective compliance depends on documented procedures, an accurate data map, and trained staff who can recognise subject access requests even when the requester does not use technical language.

Clear procedures should document who handles access requests, escalation paths, and approval workflows. Staff on the front line often receive requests before they reach a data protection team, and need to know what to do.

Data mapping is a prerequisite. If you do not know where personal data resides across your systems, including emails, third-party platforms, and backup archives, you cannot search comprehensively. Template responses covering common scenarios reduce response time and the risk of omission.

What Documentation and Records Must Controllers Keep?

Maintaining a request log with timestamps, verification steps, systems searched, and response delivery records is a strong accountability practice that helps demonstrate compliance during a regulatory audit.

Records should capture the date the request was received, the requester’s identity, the verification steps completed, the data provided or the reasons for any partial refusal, and confirmation of delivery. These records protect against claims of non-response and support your case if a complaint is lodged with a supervisory authority.

What Are the Common Article 15 Challenges and Solutions?

The most common practical problems are third-party data overlap, large data volumes, and vague requests; each has a workable solution that keeps compliance on track.

Third-party data: personal data often includes names and details of other people, such as names in email threads or family details in HR records. Apply consistent redaction policies and document your reasoning.

Large data volumes: some data subjects have thousands of records across multiple systems. Ask for clarification about what they are seeking without requiring them to narrow the request. Process systematically using automated search tools where available.

Former employees: employment contract data, performance reviews, and disciplinary records may all be requested. Former employees retain the same access rights as current ones.

Cross-border transfers: where data has been sent to third countries, include information about the transfer safeguards relied on under Article 46 in your response.

What Are the Enforcement Outcomes and Penalties Under Article 15?

Penalties for failing to respect access rights can reach €20 million or 4% of annual global turnover, and supervisory authorities treat both incomplete responses and complete non-responses as violations.

Supervisory authorities across EU member states actively investigate Article 15 complaints, and access-rights enforcement remains a focus of ongoing regulatory scrutiny.

Regulators have treated incomplete or inadequate responses to access requests as enforceable GDPR violations, showing that partial compliance can still create significant enforcement risk.

Frequently Asked Questions

Can an organisation refuse an Article 15 request?

Complete refusals are rarely justified. Controllers can redact third-party information, withhold data covered by specific exemptions, and charge fees for excessive requests, but they cannot refuse outright without a specific legal basis. Any refusal must be communicated to the data subject, who can then lodge a complaint with a supervisory authority.

Does Article 15 apply to employees as well as customers?

Yes. Article 15 applies to all individuals whose personal data is being processed, regardless of the relationship. Employees can request access to their personnel files, emails, performance reviews, and any other personal data held about them.

What happens if a controller misses the one-month deadline?

Missing the deadline without having issued an extension notification is a breach of the GDPR. The data subject can complain to the relevant supervisory authority, which can investigate and impose corrective measures or fines. Supervisory authorities treat missed deadlines as indicators of systemic compliance failures.