Skip to main content

Access Requests under the GDPR

| Categories: General Obligations; Consumer Rights;

Access requests

So-called "data subjects", including consumers and employees of B2B business partners, have several rights under the EU Data Protection Regulation (GDPR). In practice, one of the most relevant of these is the right to access under Art. 15 GDPR. It entitles natural persons in the EU to request information from businesses acting as data controllers on how they use the personal information on the respective inquirer.

Who is entitled to the right to access?

Within the scope of the GDPR, a company is required to grant access requests to any individual whose personal information are collected, retained, used, or otherwise processed. This may include EU consumers as well as employees of EU business partners, irrespective of whether they already purchased goods or services (customers) or not (leads, vendors). Also, it does not make any difference if the collection of personal information is part of a non-chargeable service, e.g. in the context of registering free user accounts or subscribing to newsletters.

Data subjects may only request access from the data controller, i.e. the company “which, alone or jointly with others, determines the purposes and means of the processing of personal data” (Art. 4(7) GDPR). Data processors, meaning vendors processing “personal data on behalf of the controller” (Art. 4 (8) GDPR), such as many SaaS, hosting, IT maintenance, cloud or accounting service providers, must not comply with such requests themselves, but may refer them to their respective B2B customers instead, which are primarily responsible under the GDPR.

What information is covered by the right to access?

Under Art. 15 GDPR, data controllers must provide the data subject with the following information upon request:

  • the purposes of the processing (e.g. distribution of marketing e-mails, delivery of goods, details on how the personal information is used for rendering contractually agreed services);
  • the categories of personal data concerned (e.g. name, e-mail, postal address, behavioral data when using an online service);
  • the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries (e.g. marketing partners, categories of vendors with whom the data are shared);
  • where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period (e.g. retention periods based on internal data retention policies);
  • the existence of the right to request from the controller rectification (Art. 16 GDPR) or erasure (Art. 17 GDPR) of personal data or restriction of processing (Art. 18 GDPR) concerning the data subject or to object to such processing (Art. 21 GDPR);
  • the right to lodge a complaint with a supervisory authority;
  • where the personal data are not collected from the data subject, any available information as to their source (e.g. data collected from the internet, auto-enriched leads in CRM tools, information obtained from marketing partners);
  • information on whether the data is subject to automated decision-making (Art. 22 GDPR), and, if applicable, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

In addition to this explanatory information, data subjects are entitled to obtain a copy of the personal information undergoing data processing pursuant to Art. 15(3) GDPR. According to recent rulings by German courts (OLG Köln, judgement of 26 July 2019 – 20 U 75/18), such copy is not restricted to master data, but comprises, amongst others, memos relating to communication with the inquirer.

Consequently, the data controller must gather all information on the respective inquirer from its databases (e.g. CRM, emails, mobile app data logging, order history, etc.) and provide him or her with a copy. It can be in the form as the data is available to the data controller without additional preparation, however, in case the request is made electronically, the information must be provided in a commonly used electronic form. Therefore, information processed through a software using its own data format, data controllers may have to convert it to more common file types like PDF.

What else should be taken into account when processing access requests?

The GDPR stipulates further requirements for data controllers in the context of complying with access requests by data subjects. These include:

  • Data controllers must process access requests “without undue delay and in any event within one month of receipt of the request” (Art. 12(3) GDPR). This period may be extended up to 3 months, taking into account the complexity and number of the requests, however, data controllers must explain the reasons for the delay to the inquirer within one month.
  • Processing access request must be granted free of charge, unless the request is manifestly unfounded or excessive (e.g. exercising the right to access on a weekly basis), or in case the inquirer requests further copies of all personal information concerning him or her. Whether the data controller is entitled to charge a reasonable fee or to refuse to act on the request should be assessed on a case-by-case basis.
  • Unless otherwise requested by the data subject, the information must be provided in electronic form in case the request was filed electronically (e.g. via e-mail, or by using an “access request”-feature within a login area of a website or mobile app).
  • Data controllers should verify the identity of the individual filing an access request before processing it in order to avoid unauthorized disclosure of personal information to third parties (e.g. by asking security questions on the telephone).
  • Any communication following an access request must be “in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child” (Art. 12(1) GDPR).

How do we put this into practice?

Timely processing of access request can be burdensome and straining for personnel resources. Particularly where personal information on a data subject is spread among various departments or databases, gathering such data may require significant efforts. Some IT vendors like Microsoft provide information on how to process access requests concerning data processed with their products.

Companies are advised to implement standardized procedures on how to process access requests, including templates for responses and internal attribution of responsibilities. Depending on the amount of expected access requests and estimated costs, companies may consider checking the market for GDPR compliance software tools helping them to comply with GDPR requirements.

GDPR Updates for non-EU companies

Are you compliant with the GDPR?

Under Art. 27 of the GDPR, many non-EU companies must appoint an EU GDPR Privacy Representative. To find out now if your company is subject to this obligation

take the test

Who is EU-REP.Global?

We are data protection service provider based in Germany, focused on compliance services under the EU General Data Protection Regulation. If you want to know more,

go to FAQ

International Applicability

International Applicability of the EU GDPR

The EU General Data Protection Regulation (GDPR), a major privacy law introduced by the European Union in May 2018, not only shook up the business of data-driven digital service providers but keeps affecting companies of any size and any industry all over the world. Many executives, IT managers and...

Continue reading

Brexit: Implications on Privacy Compliance

Almost four years after the citizens of the United Kingdom have voted in favor of leaving the European Union in a referendum, Brexit is finally approaching on 31 January 2020. Since the General Data Protection Regulation (GDPR) is part of the EU legal framework which will, in principle, cease to...

Continue reading
Highest GDPR fine

14.5 Million Euro: Highest GDPR Fine in Germany for Unlimited Data Retention

A German real estate company has been fined 14.5 million Euro for infringing the EU General Data Protection Regulation (GDPR) by the data protection authority of Berlin, who publicly reported on this case in a press release on 5 November 2019. It constitutes the highest fine that has been issued in...

Continue reading