GDPR Article 15 Explained: A Complete Guide to the Right of Access

Nov 29, 2025

The General Data Protection Regulation (GDPR) gives individuals a powerful set of rights over their personal data, and Article 15 is one of the most important. It grants every person the Right of Access — the ability to know whether an organization processes their personal data, what data is being processed, why, where, and how.

For organizations, Article 15 is often the most demanding right to fulfill, because a data subject access request (DSAR or SAR) requires thorough verification, careful data retrieval, and strict deadlines. At the same time, it is central to GDPR transparency and accountability.

This article explains GDPR Article 15 in depth, breaks down all obligations, outlines how businesses should respond to access requests, and provides real examples and best practices.

What Is GDPR Article 15?

Article 15 of the GDPR is titled “Right of access by the data subject.”
It gives individuals the right to obtain:

  1. Confirmation that their personal data is being processed
  2. Access to that personal data
  3. Additional information about the processing

In plain terms, Article 15 lets people say:
“Tell me what you know about me, why you have it, where it came from, who you share it with, and give me a copy.”

This empowers individuals to:

  • Understand how companies use their information
  • Evaluate whether processing is lawful
  • Check accuracy
  • Exercise other rights (rectification, erasure, objection)
  • Hold organizations accountable

For companies, Article 15 requests must be handled carefully because any mistake—missing information, late responses, incomplete disclosure—could lead to a complaint or fine.

What Can Individuals Ask for Under Article 15?

A data subject can request both confirmation and complete access to their data.

The request does not need special wording. A simple message such as:

  • “What personal data do you have about me?”
  • “I want to access my data.”
  • “Give me a copy of everything you store about me.”

is legally a valid request.

GDPR requires organizations to provide:

1. Confirmation of whether personal data is processed

Even if no data exists, you must respond.

2. A copy of all personal data

This includes:

  • Contact information
  • Account details
  • Communication logs
  • Website activity logs (if linked to the user)
  • Purchase history
  • Support messages
  • CCTV footage (if the person can be identified)
  • IP logs (if linked)
  • Cookies or behavioral data tied to an identifiable profile

Essentially: if the data is about the person, they are entitled to access it.

3. All information listed in Article 15(1)

This includes:

  • Purposes of processing
  • Categories of personal data
  • Recipients of data
  • Retention periods
  • Source of data (if not collected directly)
  • Information about automated decision-making
  • Details of international transfers and safeguards
  • The existence of other GDPR rights

This is similar to Article 13 and 14 transparency obligations, but Article 15 requires delivering it upon request.

Why Article 15 Exists: Empowerment and Transparency

Without Article 15, individuals would have no way to understand:

  • How companies use their data
  • Whether data is being sold or shared
  • Whether data has been breached
  • Whether data is accurate
  • Whether the company complies with GDPR

Article 15 allows individuals to verify how their data is treated and decide whether they want it corrected, limited, or erased. It also exposes unlawful or excessive processing.

For regulators, Article 15 is a cornerstone of privacy protection—many investigations begin when an individual’s access request reveals data misuse.

Deadlines: How Fast Must Companies Respond?

GDPR gives strict timelines.

Deadline: One Month

Companies must respond within one month after receiving the request.

They may extend the deadline by two additional months only if the request is complex or voluminous. In that case, they must inform the data subject within the first month and explain why an extension is needed.

Requests Must Be Free

Access requests must be fulfilled free of charge, unless:

  • The request is “manifestly unfounded,” or
  • Excessive or repetitive

Even then, companies must justify charging a fee.

Identity Verification Requirements

Before disclosing data, companies must ensure the request is legitimate. Verification must be reasonable and proportional.

Examples of valid verification:

  • Confirming email ownership
  • Verifying account login
  • Asking for ID if the data is sensitive
  • Asking for additional information if necessary

Organizations cannot demand excessive or irrelevant documents.

Verification protects both the company and the individual from improper disclosure — because giving someone else access to another person’s data can lead to serious GDPR violations.

What a Complete Article 15 Response Must Include

A valid response must contain both:

A) A copy of the personal data

AND

B) All required Article 15 transparency information

The response must be provided in a:

  • Concise
  • Transparent
  • Intelligible
  • Easily accessible
  • Machine-readable

format.

Common formats:
PDF, CSV, JSON, Excel export, or structured email.

Types of Personal Data That Must Be Included

A company must include all data that directly or indirectly identifies the individual.

1. Data provided by the individual

Examples:

  • Registration details
  • Profile information
  • Emails sent to customer support
  • Uploaded documents

2. Data observed about the individual

Examples:

  • Activity logs
  • Device identifiers
  • IP addresses
  • Clickstream data
  • Cookie data
  • Location logs
  • Usage metrics

If the data relates to the person and identifies them, it is included.

3. Data derived or inferred by the company

This is where companies often fail.

Derived or inferred data includes:

  • Credit scores
  • Risk profiles
  • Predicted behavior
  • Segmentation categories
  • Automated decision-making outputs

Article 15 requires disclosing these because they form part of the person’s “profile.”

4. Records, logs, and metadata

Examples:

  • Time stamps
  • Communication logs
  • Internal notes about the individual
  • Call recordings
  • CCTV footage

If internal notes contain opinions or assessments, they must also be included unless exempt (e.g., legally privileged).

What Must NOT Be Shared: Limits and Exemptions

Article 15 outlines one of the broadest GDPR rights, but there are important limits.

Companies may refuse to share:

1. Data about other people

If access would reveal third-party personal data, it must be redacted unless:

  • The third party consents
  • Redaction is impossible but disclosure is necessary and lawful

2. Confidential business information

Trade secrets or proprietary algorithms do not need to be revealed, but the company must still explain the logic behind automated decisions.

3. Legally privileged information

For example:

  • Communications with legal counsel
  • Documents prepared for litigation

4. Data used for the prevention or detection of crime

Access can be restricted if disclosure would undermine investigations.

5. Manifestly unfounded or excessive requests

But this is interpreted very narrowly by regulators.

How Businesses Should Respond to Article 15 Requests: Step-by-Step

A well-designed DSAR process protects the organization and ensures compliance.

Step 1: Receive and log the request

Any channel counts: email, support form, social media message, verbal request.
Create an internal record with:

  • Timestamp
  • Communication channel
  • Identity information
  • Scope of request

Step 2: Verify identity

Use reasonable, proportional checks.
Do not request unnecessary documents.

Step 3: Identify the data systems involved

This may include:

  • CRM
  • Email systems
  • Analytics platforms
  • Databases
  • Payment processors
  • HR systems
  • Customer support tools
  • Third-party processors

Step 4: Collect all relevant data

Ensure you include all:

  • Raw data
  • Logs
  • Inferences
  • Internal notes
  • Historical data

Avoid over-disclosure (e.g., data about other individuals).

Step 5: Apply redactions if needed

Remove:

  • Third-party information
  • Confidential company secrets
  • Legally privileged content
  • Security-sensitive details

Step 6: Prepare the privacy explanation

Include all Article 15 transparency details.

Step 7: Deliver the response securely

Use an encrypted channel, secure email, portal, or password-protected file.

Step 8: Close and document the request

Record:

  • Date of completion
  • Format used
  • Any exemptions applied
  • Data provided
  • Identity verification steps

Maintaining records protects against complaints.

Examples of Article 15 in Real Situations

Example 1: A customer requests access to e-commerce account data

A customer writes, “I want a copy of all data you hold about me.”

The company must provide:

  • Account information
  • Order history
  • Stored addresses
  • Payment metadata
  • Emails exchanged with support
  • Website tracking data linked to the customer’s login
  • Retention policies
  • Data recipients

Example 2: A former employee requests access

HR must gather:

  • Employment files
  • Performance evaluations
  • Payroll data
  • Attendance records
  • Internal notes (unless legally privileged)
  • Email logs (if identifiable)
  • Benefits data

Example 3: A user wants their behavioral profile

A social media company must provide:

  • Likes, shares, time spent on content
  • Segmentation categories
  • Algorithmic inferences
  • Ad interest profiles
  • Data shared with advertisers

Example 4: CCTV access

If a person appears in store CCTV footage and is identifiable, the store must provide access unless:

  • Footage includes many third parties (redaction may be needed)
  • Footage is already overwritten
  • Exemption applies for security operations

Common Mistakes Companies Make With Article 15 Requests

Even well-organized companies struggle with DSAR compliance. Frequent mistakes include:

  • Missing the one-month deadline
  • Only providing raw data but not Article 15 transparency information
  • Forgetting inferred data
  • Not including data from third-party processors
  • Over-redacting or under-redacting
  • Asking for excessive verification documents
  • Sharing data insecurely
  • Failing to log and document the process
  • Partial responses that violate GDPR

Supervisory authorities often treat incomplete responses as non-compliance.

Why Article 15 Compliance Matters More Every Year

The number of DSARs has increased across Europe because:

  • People are more aware of their rights
  • Data breaches make individuals want to check their stored information
  • Employees use Article 15 in employment disputes
  • Privacy activists use access requests to expose violations
  • AI and algorithmic profiling increase data concerns

Regulators also use Article 15 as a tool during investigations. A company that fails DSAR obligations may face:

  • Fines
  • Audits
  • Orders to change processing
  • Reputational damage

Article 15 remains one of the strongest transparency mechanisms in GDPR enforcement.

Conclusion: Article 15 Is a Foundational GDPR Right That Requires Careful Handling

GDPR Article 15 gives individuals a powerful tool to understand and control their personal data. For organizations, it requires:

  • Efficient internal processes
  • Clear documentation
  • Accurate data mapping
  • Secure communication
  • Awareness of exemptions and limits

A well-implemented DSAR process demonstrates privacy maturity, reduces legal risk, and builds trust with users and customers.