Your right of access (Article 15)

Exercise Your Rights

What is the right to access?

The right of access is a powerful tool, as it allows you to know what information companies have on you, why they have it, and what they are doing with it. Therefore, an access request is oftentimes a first step and a precondition of exercising other rights under the GDPR and a way to find out if your rights are being violated. 

Scope of the right to access

The right to access gives you the right to get a copy of your data, but also the right to get detailed explanations that should allow you to understand if the data is processed legally. You have the right to find out the following: 

  • the purposes for which your data is used
  • the categories of that data 
  • if the company has shared your data with third parties and if so, who those parties are (you have the right to receive the names of all these parties) 
  • any sources the company got your personal data from 
  • for how long the company stores your data 
  • the other rights you have against a company, including the right to correct your data, to delete your data (in certain circumstances), or to restrict or object to the company using your data
  • if the company uses your data in an automated decision-making process (such as decisions made by AI or an algorithm), meaningful information about the logic behind that algorithm, and the significance and consequences the company foresees for using your information in this way
  • if the data are sent outside of the European Union and, if so, which safeguards are in place to protect your data.

How to exercise your rights

  • You can send an informal message stating that you want to exercise your right under Article 15 GDPR. There is no duty to specify specific information that you want to get access to (as you may not know this yet), but if you are interested in very specific information, you may want to limit your request to this information.

Typical Problems

  • The company doesn’t respond within the deadline
  • The company only sends parts of the required information
  • You only get a generic response (e.g. all the purposes are listed, but is not clear what data is processed for which purpose, or the company mentions that they “may have your data without saying whether they actually have it)
  • You only receive a standard response instead of a personalized one (e.g. the company refers you to the privacy policy and does not actually explain what happened to your data)
  • The company only provides information bit-by-bit upon further requests.
  • It is often hard to find out, whether information is missing, as you cannot inspect the servers of a company. It is useful to look for inconsistencies in the response, check publicly available information or ask further questions if you are not sure if all the information was provided.