GDPR Right of Access: Obligations, Process, and Best Practices for Companies

The Right of Access under Art. 15 GDPR grants data subjects the right to obtain comprehensive transparency regarding the processing of their personal data.

• Goal: To create transparency and enable control over one's own data.
• Core of the Right: The right to know that data is processed, how it is processed, and which data specifically exists.

The Right of Access is the lever data subjects use to enforce their rights (such as erasure or rectification). For companies, compliance has strategic importance:

• Strengthening Data Subject Rights: Users maintain control over their data.
• Transparency Obligation for Companies: Verifiable data processing.
• Early Error Detection: Incorrect or outdated data (Art. 5) can be corrected before resulting in subsequent problems.
• Reducing Misuse Risk: Clearly documented processing.
• Mandatory Deadline: The tight one-month deadline makes processes unavoidable.

The right generally applies to every natural person whose data is processed.

This includes:

• Customers
• Users (even if they haven't made a purchase)
• Employees
• Applicants
• Supplier Contacts
• Website Visitors (if personal data like IPs, tracking IDs are collected)

Companies of all sizes must fulfill access requests—including startups.

The response to an access request consists of two main parts.

Minimum Scope under Art. 15: The Information

The response must include the following information (the meta-information about the processing):

1. Which data is processed: Name, contact info, usage data, contract data, etc.
2. For what purposes the data is processed (e.g., contract performance, marketing, security).
3. Legal bases (Consent, fulfillment of contract, legitimate interest, etc.).
4. Recipients or categories of recipients (e.g., service providers, cloud providers, partners).
5. Storage duration or criteria (Deletion periods, statutory retention periods).
6. Data subject rights (Rectification, erasure, restriction, objection).
7. Source of the data (If not collected directly from the person).
8. Existence of automated decision-making including profiling.

The Copy of the Data

Upon request, a free copy of all personal data must also be provided. This must be supplied in a commonly used, structured, and machine-readable format (as far as technically possible).

Manual processing consumes valuable resources. Efficiency and security are only possible through structure and automation.

1. Maintain a Central Record of Processing Activities (RoPA)

The RoPA (Art. 30) is the blueprint for responding: It lists all systems, purposes, legal bases, and recipients. Without an up-to-date RoPA, every access request becomes a search in a haystack.

2. Define Standard Processes and Roles

Determine who in the company (DPO, IT, Legal, Department Head) is responsible for intake, processing, data extraction, approval, and documentation.

3. Conduct Identity Verification

Always verify the identity of the requester before releasing sensitive data to prevent misuse (e.g., via secured email verification or login through the customer account).

4. Consolidate Central Data Sources

Identify which systems (CRM, HR system, log files, support tools) store personal data, and create a technical capability to quickly consolidate this data.

5. Automate Data Provision

Use tools that allow for automated data extraction from various sources and automatically populate the response templates (the information part).

6. Monitor and Document Deadlines

The response must be provided within one month. Use workflows to monitor this deadline and document all communication (request, identity verification, response) (mandatory!).

7. Create Legally Compliant Response Templates

Use templates that consistently cover all 8 points of Art. 15 to ensure no information is missed.

Abusive or faulty processing of access requests entails far-reaching consequences:

• Fines under Art. 83 GDPR: Violations of data subject rights are severely penalized.
• Claims for Damages from data subjects in case of violation.
• Loss of Trust: Delays or incomplete responses signal a lack of control over one's own data.
• Negative Impact on Audits (e.g., ISO 27001, NIS2): An inefficient or faulty DSR process is considered a deficiency in governance and IT security.
• Increased Risks in Data Breaches: Errors in the access process point to general data inconsistencies.

Access requests are therefore not just a data protection issue, but concern governance, compliance, and IT security.

The Right of Access is one of the central instruments of the GDPR and often a challenge for companies without centralized data management. However, with clear processes, an up-to-date RoPA, and the right technical support, requests can be fulfilled securely, efficiently, and on time.

Those who implement the Right of Access properly use it as an opportunity: You reduce legal risks, strengthen the trust of data subjects, and improve your overall compliance.

Manual processing costs valuable time. Automation is the only scalable solution to reduce processing time from weeks to days and be audit-ready.

How quickly must I respond?

Within one month of receiving the request. In exceptional cases (high complexity or volume), an extension to three months is possible, but this must be justified within the one-month period.

Can I refuse a request?

Yes, for instance, for requests that are manifestly unfounded, excessive, or abusive. However, this is only allowed within narrow limits and must also be justified on time.

Can I charge a fee?

The first disclosure is free of charge. Only for manifestly unfounded or excessive requests (e.g., repeated requests of the same nature in a short period) may a reasonable fee be charged.

How do I correctly provide the data copy?

Electronically, structured, and machine-readable—if technically feasible. The transmission must take place via a secure channel, as it involves sensitive personal data.

Do I also have to search files in backups?

No. If data is only stored in backups (which serves the purpose of restoration), you do not have to actively search them. However, you must communicate that they reside there inertly and will be deleted upon the expiration of the backup cycles.