How may an individual request access to personal data under GDPR?

When an individual makes a data subject access request (DSAR) under the GDPR, the company has a legal obligation to handle the request correctly and within the statutory timeframe. This right of access follows from Article 15 GDPR and applies irrespective of whether the request is made orally, in writing or digitally (for example, a digital subject access request).

As the controller, it is essential to have procedures to verify identity, assess the scope of the request, and respond within one month. In some cases, the response period may be extended by a further two months, but the data subject must be informed of the delay and the reasons for it. The response must be provided without undue delay, so the one-month period is the outer limit only; if the request is straightforward, the response should be provided earlier.

How should companies disclose personal data under GDPR?

Before disclosing personal data, controllers must ensure that the request is legitimate and that disclosure does not infringe another person’s rights. For example, identify whether the data to be disclosed contains information about other individuals. Information must be provided in a structured, intelligible format—often electronically if the request was submitted digitally as a digital subject access request.

Providing personal data is not merely a technical transfer of information; it is also about ensuring effective transparency for the data subject. The company should, among other things, be able to explain the source of the data, for example whether it was collected directly from the data subject or from a third party. Where requests are repetitive or manifestly unfounded, it may be permissible to refuse or charge a fee, which must be clearly justified. A DSAR response template can support consistency, provided it is used with proper legal assessment case by case.

When responding to a request for access, companies should:

• Confirm whether personal data is processed and, if so, provide a copy.
• Inform the data subject about purposes, recipients, retention periods and rights.
• Verify the identity of the requester to protect confidentiality.

Remember that data which does not directly include a name or national ID number—such as internal identifiers, customer behaviour data or IP addresses—may fall within scope if it can be linked to an identifiable person. Using a well-governed DSAR service can help manage scope and format while meeting the right of access GDPR requirements.

Right of access under GDPR: common mistakes and how to avoid them

A common mistake is failing to respond within the deadline set by the GDPR. Although one month may seem generous, many requests require investigation, particularly where information is spread across several systems. The absence of predefined processes or designated contact points can cause unnecessary delays, potentially leading to an infringement—even if the information is ultimately disclosed.

Another mistake is providing an overly narrow or incomplete response. The GDPR sets clear requirements for what an access disclosure must contain; merely providing a copy of the data is not enough. If information on purpose, retention or recipients is omitted, the response is not complete under Article 15. This can also undermine customer or data subject trust and, over time, damage the organisation’s reputation.

Finally, documentation is sometimes overlooked. Under the accountability principle GDPR, you must be able to demonstrate that you acted lawfully and appropriately in handling the request. In practice, the controller needs some form of case documentation (and must ensure a lawful basis for any processing involved). This is not only prudent in the event of oversight by the Data Protection Agency but also a tool for internal quality control.

Beyond the substance of the response, the method of disclosure matters. The GDPR requires information to be provided in a manner that is secure, accessible and easy to understand. This may mean restructuring data or adding explanatory text, particularly if the material would otherwise be difficult to interpret or prone to misunderstanding. In addition, companies should maintain clear internal guidelines for secure disclosure workflows. Deficiencies in this area may constitute an infringement and could result in a personal data incident, even if the content itself is correct. A careful, secure disclosure process strengthens both compliance and customer trust. Where appropriate, a tailored DSAR response template can help ensure consistency without sacrificing nuance.

At Morling Consulting, our GDPR specialists help companies across Europe ensure that processes for handling data subject rights meet GDPR requirements and that teams understand how to make a subject access request work effectively in practice.