The right of access to personal data – process, obligations and lawful handling

The rights under article 15 GDPR are among the most fundamental data subject access rights conferred by the GDPR. They mean that an individual is entitled to know whether an organisation processes personal data about them and, if so, to obtain access to it. This strengthens individuals’ control over their personal data and creates a clear obligation on controllers to act openly and transparently. Read more about how an individual can request personal data under the GDPR.

For organisations, this entails a duty to respond to a request for access to personal data promptly, accurately and in a structured way. This places demands on internal processes and staff competence, as a careless or incomplete response may lead to supervision, administrative fines or reputational harm. The stakes are higher where processing is extensive or otherwise sensitive.

Designing an internal process for the right of access to personal data

A well-functioning internal process is critical to handle a data subject access request lawfully and on time. The GDPR requires a response within one month of receipt, with the possibility of an extension for complex requests. That deadline does not mean the controller always “has a month”; the time actually available depends on what the data subject asks for. For example, if the enquiry concerns whether an email address is used for digital direct marketing, such a request should be answered much faster, potentially within a day or two depending on the circumstances of the case.

This requires clear procedures, appropriate technical solutions and internal allocation of responsibility. Procedures should cover not only timelines but also how the organisation will conduct the necessary assessments. The following elements should be considered:

• Receipt: A central channel (for example, dataprotection@yourcompany.com) reduces the risk of missing a request.
• Identification: Verify identity; particularly robust security measures are required if sensitive data is involved (for example, strong electronic identification such as BankID).
• Documentation: Log all actions, including timestamps and content, to evidence compliance if challenged. For this purpose, the legal basis must be established.
• Assessment: Determine scope – which data is covered? Do any exemptions apply (for example, third-party rights)?
• Disclosure: Use a secure method to provide the data, for example encrypted file transfer.

The process should be tested regularly and embedded with relevant functions, including IT, HR and customer service. It is also prudent to create standardised response templates to ensure consistency and reduce the risk of non-compliance.

How to respond lawfully to a request for access to personal data

A compliant response to a request for access to personal data must be complete, intelligible and provided without undue delay. It is not enough to send the personal data; the information must be presented in a structured manner and include all elements set out in article 15 GDPR. In practice, this is the core of the right of access to personal data and a key aspect of data subject access rights.

• Acknowledgement: Acknowledge receipt and indicate when a response will be provided.
• Processing information: Specify which personal data are processed, the purposes of processing and the storage periods.
• Provision of data: Attach a copy of the relevant personal data in an easily accessible format.
• Supplementary information: Inform the individual of the rights to rectification, erasure, restriction, to object to processing, and to lodge a complaint with the Data Protection Agency.

If certain data are withheld, for example because they concern a third party, this must be clearly justified. The same applies if a request is refused – a legally grounded justification is required. It is equally important to document such decisions in the matter, including timestamps and the functions involved. These points apply whether the enquiry is framed as a data subject access request or more generally as a request for access to personal data.

Sanctions, practice and proactive compliance for the right of access to personal data

The Data Protection Agency has in several decisions emphasised the importance of responding correctly to a request for access to personal data. Deficient handling can result in reprimands and administrative fines – particularly where shortcomings are repeated or systemic.

By working proactively on procedures, training and technical readiness, risks can be significantly reduced. This is not only about regulatory compliance, but also about building trust with customers, employees and other data subjects across Europe.

Morling Consulting’s GDPR consultants advise on the end-to-end process – from mapping personal data flows and establishing documented procedures to training staff and supporting concrete requests under article 15 GDPR. We also review existing processes and propose improvements from a data protection perspective.

In short, robust governance of the right of access to personal data supports compliance, reduces the risk of enforcement and strengthens stakeholder confidence.