Data protection updates: the data subject’s right of access and expected developments

Reading time: 7 minutes

Recently, we have received an increasing number of questions from clients regarding the scope of the data subject’s right of access and the practical requirements for responding to access requests. The topic is particularly timely, as legislative work is currently underway to amend certain procedural provisions of the General Data Protection Regulation, i.e. GDPR.

Under GDPR the right of access is one of the cornerstone data subject rights. On the one hand, it is essential for ensuring transparent data processing; on the other hand, it is one of the most frequently disputed rights in practice, with a significant proportion of supervisory authority proceedings and court cases relating to its exercise. Complying with the right of access involves much more than simply providing copies of personal data. It also requires the proper identification of the data subject, compliance with the principle of data minimisation, and the appropriate handling of potentially abusive requests.

In this newsletter, we provide an overview of the content of the right of access, the key guidance shaping its practical application in Europe, and the most recent and expected legislative developments.

The content of the right of access

Pursuant to Article 15 GDPR, the data subject is entitled to obtain confirmation as to whether or not personal data concerning him or her are being processed and, where that is the case, access to the following information:

the purposes of the processing,

the categories of personal data concerned,

the recipients to whom the personal data are disclosed,

the retention period of the data,

information on the rights available to the data subject, including the right to request rectification, erasure or restriction of processing of personal data and to object to such processing,

information on lodging a complaint with a supervisory authority and the manner thereof,

as well as the source of the data (where the data are not collected from the data subject).

One of the critical elements of exercising this right is the provision of a copy of the personal data. Case law has made it clear that this does not merely mean providing summary information, but the actual disclosure of specific data relating to the data subject. In certain cases, this may also include providing the relevant parts of complete documents (e.g. emails, reports).

The importance of handling access requests

Properly responding to access requests is not merely a procedural obligation; it is a key element of GDPR compliance as it directly supports the principles of transparency and accountability.

Where access requests are handled correctly, data controllers:

ensure compliance with the GDPR principle of transparent processing;

enable data subjects to effectively exercise their rights;

reduce the risk of supervisory investigations and administrative fines;

minimise the likelihood of disputes and litigation; and

strengthen trust in their data processing activities.

Conversely, inadequate or incomplete responses—such as failing to provide a copy of the personal data, insufficient redaction of third-party information or unjustified refusal of the request—may constitute standalone GDPR infringements and often lead to supervisory investigations following complaints lodged by data subjects.

Top 10 key considerations for exercising the right of access

Based on the European Data Protection Board (EDPB) Guidelines, the following practical considerations deserve particular attention when handling the exercise of the right of access:

  1. Access requests must be assessed based on their substance. They may not be rejected solely on formal grounds, and any request seeking access to personal data should be treated as a request to exercise the right of access.
  2. The data controller must conduct a search across all relevant systems, including electronic systems, email accounts, and archived data, and, where necessary, paper-based records.
  3. Where the data subject requests a copy of their personal data, the data controller must provide the actual personal data being processed. A summary or list alone is not sufficient. Depending on the circumstances, this may require providing the relevant excerpts from documents such as emails or reports, of course, while maintaining business confidentiality.
  4. The information provided must be intelligible. Where the disclosed data are technical, coded, or otherwise difficult to understand, explanatory information may also need to be provided.
  5. Where documents to be disclosed contain personal data relating to other individuals, the data controller must apply anonymisation or masking. Withholding the entire document is justified only in exceptional circumstances.
  6. Where the data controller has reasonable doubts regarding the identity of the requester, it must verify the data subject’s identity to ensure that personal data are disclosed only to the authorised individual, thereby safeguarding both the protection of personal data and the effective exercise of data subject rights.
  7. Identity verification should primarily rely on information already available to the data controller. Where necessary, supplementary verification measures may be used, such as email verification or online or in-person identification.
  8. Only the minimum amount of information necessary for identification may be requested. Excessive or unjustified authentication requirements may themselves constitute a breach of data protection law.
  9. Identity verification must always be proportionate and secure, taking into account the sensitivity of the personal data, the circumstances of the request, and the risk of misuse.
  10. Where appropriate, the data controller should document and be able to demonstrate that the identification and fulfilment measures applied were necessary and proportionate.

Proposed GDPR amendment – Procedural reform

Under the current GDPR framework, data subject requests must, as a general rule, be handled free of charge. A data controller may charge a reasonable fee or refuse to act on a request only where it is manifestly unfounded or excessive, in particular because of its repetitive nature. In such cases, the burden of proof rests with the data controller.

The proposed amendment to the GDPR would clarify this framework by expressly addressing abusive requests. A request could be regarded as abusive, for example, where there are reasonable grounds to believe that the data subject is exercising the right not for the purpose of protecting their personal data, but for another purpose, such as exerting pressure on the data controller or preparing for litigation.

One of the key elements of the proposal is that it would ease the data controller’s evidentiary burden. Rather than having to establish abuse with complete certainty, it may be sufficient to demonstrate that abuse is reasonably likely.

At the same time, the European Data Protection Board emphasises that any restriction of the right of access must remain exceptional, and that the concept of an “abusive request” should be interpreted narrowly. The proposal would not alter the substance of the right of access itself but is instead intended primarily to streamline procedures and promote greater consistency in regulatory enforcement.

Conclusion

The right of access remains one of the most critical areas of data protection compliance. Recent regulatory practice increasingly focuses on ensuring that data subjects receive meaningful access to information, while requiring data controllers to strike an appropriate balance between facilitating data subject rights, complying with the principle of data minimisation, and maintaining the security of personal data.

Data controllers should therefore ensure that they maintain an up-to-date record of processing activities and data inventories, establish consistent internal procedures for handling data subject requests, implement effective anonymisation and document review mechanisms, and provide regular training for employees involved in responding to such requests. It is equally important for data controllers to document the decisions taken throughout the handling of data subject requests, including the identity verification process and the factors considered when assessing whether a request may be abusive. This is particularly significant in light of the anticipated regulatory changes and increased scrutiny by supervisory authorities, which are likely to make these processes a key area of regulatory review.

Photo source: pexels.com, El Jundi

Data protection updates: the data subject’s right of access and expected developments Read More »