Correct response to a GDPR request to access personal data as a data controller


This article provides some practical tips for dealing with requests to right of access in the area of data protection under the General Data Protection Regulation.

What right of access do individuals whose data are processed have?

According to Article 15 GDPR of the EU General Data Protection Regulation, the data subject has the right to obtain information about who is processing the data about him/her, where the data originated, why it is being processed, whether he/she has a right to rectify, erase, restrict or object to the data. In addition, he/she has the right to receive information about the existence of a right of appeal to a supervisory authority and the expected storage period of the data, in particular also about to whom the data will be disclosed. Of course, the information can only be provided if the data of the data subject are actually processed in accordance with Art 15 (1) DGDPR. Otherwise, the applicant must be informed that no data is available.

What is the correct procedure for disclosing data under the GDPR?

It is recommended to generally proceed as follows when responding to requests for information:

  1. Acknowledgement of receipt
  2. Verification of identity
  3. Transmission of the information
  4. Storage of the information request and the information

Acknowledgement of receipt

The data subject should immediately receive an acknowledgement of receipt of his or her request for information. This is already a confidence-building measure, as it shows the data subject that his or her request will be taken seriously and processed in accordance with the applicable regulations.

The acknowledgement of receipt should not yet contain any information on personal data. However, the data subject should be informed together with the acknowledgement of receipt that verification of his or her identity is required.

The data subject should also be informed that the request will be processed as soon as possible, but that a processing time of approximately two weeks should be expected. A waiting period of up to one month is permitted by law.

Verification of identity

If a request for information is made by e-mail or is sent to an address unknown to the company, caution is advised. The request for information could also have been made by another unauthorized person trying to obtain information about the data subject(s).

For this reason, the information address or e-mail address should also be checked against your own data. In the event of discrepancies, it is advisable to send an additional acknowledgement of receipt to the e-mail address or postal address stored in the data record.

Here, for example, a PIN code could also be sent by mail to verify the legitimacy of the data.

For particularly critical data, it could also be helpful to send an ID card or PostIdent procedure.

For non-critical data, however, such excessive verification is probably not permissible.

Transmission of information

If the identity of the data subject has been verified, the information can be transmitted to him or her. A complete disclosure must contain the following information:

  • Purpose of processing
  • Categories of personal data
  • Recipients or categories of recipients who have already received the data or will receive it in the future
  • Intended storage period or the criteria for determining it
  • Information on the origin of the data (if it does not originate from the data subject)
  • Information on the right to rectification, erasure, blocking and disclosure
  • Information about the right to object to processing
  • Information about automated decision making (including profiling), if applicable.

Retention of provided information

To date, no retention period for access requests has been established by law, but it is recommended that requests to right of access and the information itself be retained until the expiration of the three-year statute of limitations. Requests to right of access and the information itself are stored here to defend against unjustified claims, so the data should be kept separately. It is also advisable to "lock" these data records, meaning they should also only be accessible to a few people within a company or authority.

Would you like to learn more about data protection? Please contact us, during a free initial consultation we will analyze your needs together.

Our solutions for reliable
and scalable infrastructure.

Easily and scale your IT infrastructure while deploying applications quickly and securely with our cloud native technology solutions.

But it does not have to be like this

Now full data control is one click away