Right of Access (Article 15 GDPR)
Every data subject's right to information + a copy of the data
Practitioner's note: This article is practice-oriented compliance documentation, not legal advice. We are a compliance specialist, not a law firm. For legally binding information please consult a licensed lawyer.
TL;DR
Under Article 15 GDPR, every data subject has the right to obtain from the controller confirmation as to whether their personal data are being processed — and, if so, information about the purposes, categories of data, recipients, storage period + a copy of the data. Deadline: 1 month (extendable to 3).
What is the Right of Access (Article 15 GDPR)?
Mandatory information includes (Article 15(1)):
- Processing purposes
- Categories of personal data
- Recipients or categories of recipients
- Storage period or criteria
- Existence of rights to rectification/erasure
- Right to lodge a complaint with the supervisory authority
- Origin of the data
- Automated decision-making (Article 22) — incl. 'meaningful logic' for ADM
Practical example
CJEU C-203/22 (Dun & Bradstreet, 02/2025): in the case of algorithmic decisions, the 'logic involved' must be explainable. Consequence: black-box algorithms are problematic.
Frequently asked questions
Must I provide information free of charge?
Yes, for the first request. For 'manifestly unfounded' or 'excessive' requests, a reasonable fee may be charged (Article 12(5)).
How quickly must I respond?
Within 1 month of receipt. Extension by 2 months is possible, provided the data subject is informed.
Information disclosure to accused parties in German Whistleblower Protection Act (HinSchG) proceedings?
Restricted under Section 29 BDSG — the identity of the whistleblower must not be disclosed.