GDPR and the right of access – a practical guide for companies
As a company, you must be able to handle requests from data subjects to access their personal data correctly under the GDPR. Data subjects have the right to request access to their personal data under Article 15 GDPR, and the controller must be able to provide information on, among other things, the purposes of processing, categories of personal data and storage periods. This post outlines the key steps in that process.
We address common practical challenges with access requests, typical questions that arise and how you can ensure compliance. Readers who wish to explore the topic in more depth may also refer to our earlier post on how a person may request personal data under the GDPR.
Data protection lawyer: pitfalls when handling access requests
When an access request is received, several common mistakes can occur if procedures are not in place and clearly defined. A frequent error is failing to respond within the one-month time limit. Another is providing information without appropriate identification, or imposing overly burdensome identification before handling the request.
- Delayed response: Handling is not prompt, exceeding the one-month limit or failing to set a shorter timeframe depending on scope.
- Insufficient verification: Inadequate or excessively onerous identity verification is applied.
- Personal data breach: Risk that sensitive data is sent without appropriate safeguards.
- Incomplete information: Missing purpose, recipients or retention period required by Article 15.
- No internal documentation: Missing record of processing activities under Article 30 GDPR.
These pitfalls can lead to complaints to the Data Protection Agency. It is therefore essential to have clear processes, secure transfer routines and documentation on how access requests are to be handled – so it is correct every time. Robust GDPR compliance consulting can help design an access request workflow that reduces the risk of GDPR non-compliance.
Examples of what data subjects may request access to
Many data subjects approach companies with specific questions about how personal data is handled. Common examples include questions about how data was collected, where it is stored, which third parties it is shared with and how long it is retained.
- How were my details collected? (for example via a web form).
- For what purposes are my personal data stored and for how long? (retention period).
- Recipients outside the organisation (third parties, processors).
- Is data used for automated decision-making or profiling?
These questions can be asked to check that the processing is lawful and carried out in accordance with the GDPR’s rules, including the transparency principle GDPR and the legal basis for processing personal data. Your response must be clear, complete and meet the GDPR’s requirements on the GDPR right of access. That builds trust and reduces the risk of complaints.
Data protection lawyer and GDPR compliance consulting: a compliance perspective
From a compliance perspective, handling an access request is a tangible way to demonstrate that you meet the GDPR’s requirements on transparency, legal basis and documentation. Without procedures, it is difficult to demonstrate responsibility and comply with the accountability principle GDPR under Article 5 GDPR.
To ensure compliance, you should implement standardised processes for:
- Identification and verification of identity.
- Responding within one month, or assessing a shorter or longer response time in certain cases.
- Standardised and secure delivery formats (for example encrypted PDF).
- Internal documentation and logging of all requests under Article 30 (record of processing activities).
- Training staff on data subject rights under GDPR.
Implementing these routines supports GDPR compliance for companies and efficient GDPR access management. It also helps in proving GDPR compliance if challenged by a supervisory authority. Where automated decision-making GDPR or profiling under GDPR is in scope, ensure your response addresses the existence of such processing and the underlying logic, as required by Article 15 GDPR.
Managing the subject access request GDPR process is just one area where our data protection lawyer team can assist. We provide practical GDPR compliance consulting and GDPR advisory services to establish an access request workflow, documentation routines and staff training (including GDPR training for staff). We can also review your existing procedures for re-alignment with the GDPR.
Our data protection lawyer services operate across Europe to support organisations with the right of access, categories of personal data disclosures and broader data subject rights under GDPR.
Data protection lawyer: key takeaways for the GDPR right of access
- Maintain clear procedures, assign ownership and monitor deadlines for data subject access requests.
- Verify identity proportionately and safeguard disclosures to avoid a personal data breach.
- Ensure responses cover purposes, recipients and retention, and explain any automated decision-making or profiling.
- Keep an up-to-date record of processing activities to enable accurate, timely responses.
Note: Where appropriate, consult a data protection lawyer to tailor processes and reduce the risk of GDPR non-compliance.
