How to provide a GDPR data access request under article 15

Have you received a data access request under Article 15 of the GDPR? We’ll explain what to do in such cases and how to handle the process simply, securely, and in compliance with GDPR.

How to provide a GDPR data access request under article 15

Data protection, or the General Data Protection Regulation (GDPR), primarily focuses on regulating data handling. However, in the public sphere, it is often associated with data breaches and the resulting (record-breaking) fines. As a result, most companies aim to comply with GDPR by focusing on data security. What is often overlooked are other rights and obligations, such as the right to access personal data under Article 15 of the GDPR.

According to a study by the Capgemini Research Institute, numerous requests from individuals whose data is processed by companies (referred to as "data subjects") have been submitted to responsible organisations. Fifty percent of US companies and 46 percent of French companies reported receiving more than 1,000 such requests related to data subject rights under Article 15 and beyond. Similarly, 45 percent of Dutch companies and 36 percent of German companies reported receiving such requests.

The existence of a data subject's right to access is not new from a data protection perspective. The Federal Data Protection Act (BDSG), in its version before 25 May 2018, also included a right to access for data subjects. However, GDPR's requirements and scope exceed the provisions of the former BDSG.

Whereas the BDSG limited data access to stored data, Article 15 GDPR extends the right to access to all processed data. This includes actions such as reading, querying, modifying, transferring, disseminating, or matching data. Essentially, any interaction involving data constitutes "processing." So, how should a company handle such a request?

Does the request concern your company?

The first step is to determine whether you are responsible for responding to the request. This is not about avoiding responsibility but ensuring accurate and appropriate responses. For instance, if an IT service provider processes data on behalf of a client, it must notify the client of the request (this is usually contractually defined). In group structures where multiple entities operate under a unified brand, the request must be directed to the entity processing the applicant's data. Data subjects often lack insight into such corporate structures.

Verifying the identity of the applicant

A data access request can be submitted informally, often via email. To ensure the requester is the individual they claim to be, companies should ask for additional information to confirm identity, such as providing a postal address. Copies of identification documents should only be requested in exceptional cases.

Excessive requests

Although companies are not required to respond to excessive requests, data subjects can exercise their right to access multiple times. There is no fixed limit; refusal is only permissible in cases of abusive requests.

No data on the requester? Negative response!

If the requester’s data has been deleted, never stored, or irreversibly anonymised, no access can be provided. However, the requester must be informed that no data concerning them is being processed (referred to as a "negative response").

When the right to access is excluded

While the right to access is generally available to all data subjects, specific situations defined in Articles 27(2), 28(2), 29(1)(2), and 34 GDPR may exclude this right. These cases are complex and should be assessed by a legal expert.

Access limited to personal data

The right to access is limited to personal data, which are any details that identify a natural person. This includes names, email addresses, or IP addresses. If pseudonymised data is processed (e.g., through the use of unique IDs), this must also be included in the response.

Information to include in a data access response

A company must include all personal data related to the requester in its response. Additionally, the metadata specified in Article 15 GDPR must also be provided. These details are usually found in the privacy policy (for websites). Merely referencing the privacy policy is insufficient.

Response timeframe

Responses must be provided within one month of receiving the request unless exceptional circumstances apply. Employee absences due to illness or holidays are generally not considered valid exceptions.

How to deliver the response

The GDPR does not prescribe a specific format for responses, allowing companies to design their own. Responses should be precise, transparent, understandable, and accessible, using clear and simple language.

Responses can be delivered electronically or in writing. Requests submitted electronically (e.g., via an online form) should typically receive electronic responses unless the requester prefers a postal delivery. If requested orally, responses must be provided verbally, ensuring the requester's identity is verified.

Data copy vs access request

A "data copy" differs from a standard data access request. When requesting a data copy, the requester is entitled to receive data in the format stored by the company. Any unrelated information must be redacted (e.g., by blacking out irrelevant sections).

The first data copy must be provided free of charge. Subsequent copies may incur reasonable fees unless the data set has significantly changed, in which case the updated copy must be free.

Taking organisational precautions

Even if no access requests have been received yet, it is advisable to establish processes for promptly and fully responding to future requests. Under Articles 12(1) and 5(2) GDPR, organisations are required to implement preparatory organisational measures to ensure timely and appropriate responses to data subject requests.

FTAPI SecuForms: A GDPR-Compliant Solution

FTAPI SecuForms, combined with the FTAPI Processes module, offers a simple and secure solution for handling data access requests in compliance with GDPR. This includes:

  • Submission of a request with identity verification via SecuForm (end-to-end encrypted)

  • Receipt confirmation

  • Generation of a secure link to the requested data

  • Delivery of the link via encrypted email or post

  • Automatic deletion of data after 30 days

This solution ensures full compliance with all requirements:

  • A straightforward and user-friendly process for submitting requests

  • End-to-end encryption for all data, both incoming and outgoing

  • Robust identity verification to ensure secure access

  • Status tracking and confirmation of receipt for transparency

  • Capability to handle and provide large or multiple data files seamlessly

  • Automatic deletion of requests and associated data after processing

Image: monticello/shutterstock.com