Help with GDPR: what applies to subject access under Article 15

The right of access is a central element of the General Data Protection Regulation (GDPR). Every data subject has the right to know whether and how their personal data are processed and, where applicable, to obtain access to that data. When organisations need help with GDPR, we provide structured support on both straightforward and complex matters.

What does a subject access request cover?

A subject access request (data subject access request) must include, among other things, information about which personal data are processed, for what purposes, how long they are retained, the categories of recipients, and the rights available to the data subject. It must also state the source of personal data and whether automated decision making occurs. In practice, responses should clearly explain the right of access GDPR and, where relevant, reference Article 15 GDPR.

What requirements apply to handling?

Requests must be answered without undue delay and at the latest within 30 days. This is not a default period to wait; it is the outer limit. The response should be provided as soon as possible, taking account of the scope and complexity of the request. An extension is only possible in specific cases and must be justified. Information must be provided free of charge and in an intelligible form—typically in writing or electronically.

It is therefore vital to be able to swiftly collect and verify all information covered by a subject access request. Personal data may be scattered across different systems, with external processors or suppliers, or in emails and cloud services. Mapping where data are held and who is responsible for compiling them in advance saves time and helps ensure responses are accurate and complete.

Operational considerations for organisations

All organisations should have a defined procedure for receiving, recording, responding to, and archiving requests. This applies even if such requests are infrequent, as a data subject will raise one sooner or later. A clear process reduces the risk of errors and legal consequences and supports robust GDPR compliance support.

It is important to train staff so they know how to handle a subject access request in practice. Incorrect or late responses can lead not only to complaints to the Data Protection Agency but also to loss of trust among customers and users. Clear procedures and well-crafted templates reduce the risk of mistakes and make it easier to meet data subject rights under GDPR.

Help with GDPR: practical support and GDPR legal advice

If you need help with GDPR and the handling of requests concerning rights under the GDPR, we can provide procedures, templates, GDPR legal advice and legal guidance—our GDPR lawyers help you act correctly under Article 15. We also offer GDPR consulting services and targeted GDPR training for employees to strengthen compliance across your organisation.

For comprehensive assistance—from scoping a data subject access request to drafting responses that address the categories of recipients, the source of personal data and any automated decision making—our advisory team delivers pragmatic GDPR legal advice and end-to-end support.