Article 15 GDPR

← Article 15 - Right of access by the data subject →

Chapter 1: General provisions Article 1: Subject-matter and objectives Article 2: Material scope Article 3: Territorial scope Article 4: Definitions Chapter 2: Principles Article 5: Principles relating to processing of personal data Article 6: Lawfulness of processing Article 7: Conditions for consent Article 8: Conditions applicable to child’s consent in relation to information society services Article 9: Processing of special categories of personal data Article 10: Processing of personal data relating to criminal convictions and offences Article 11: Processing which does not require identification Chapter 3: Rights of the data subject Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject Article 13: Information to be provided where personal data are collected from the data subject Article 14: Information to be provided where personal data have not been obtained from the data subject Article 15: Right of access by the data subject Article 16: Right to rectification Article 17: Right to erasure (‘right to be forgotten’) Article 18: Right to restriction of processing Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing Article 20: Right to data portability Article 21: Right to object Article 22: Automated individual decision-making, including profiling Article 23: Restrictions Chapter 4: Controller and processor Article 24: Responsibility of the controller Article 25: Data protection by design and by default Article 26: Joint controllers Article 27: Representatives of controllers or processors not established in the Union Article 28: Processor Article 29: Processing under the authority of the controller or processor Article 30: Records of processing activities Article 31: Cooperation with the supervisory authority Article 32: Security of processing Article 33: Notification of a personal data breach to the supervisory authority Article 34: Communication of a personal data breach to the data subject Article 35: Data protection impact assessment Article 36: Prior consultation Article 37: Designation of the data protection officer Article 38: Position of the data protection officer Article 39: Tasks of the data protection officer Article 40: Codes of conduct Article 41: Monitoring of approved codes of conduct Article 42: Certification Article 43: Certification bodies Chapter 5: Transfers of personal data Article 44: General principle for transfers Article 45: Transfers on the basis of an adequacy decision Article 46: Transfers subject to appropriate safeguards Article 47: Binding corporate rules Article 48: Transfers or disclosures not authorised by Union law Article 49: Derogations for specific situations Article 50: International cooperation for the protection of personal data Chapter 6: Supervisory authorities Article 51: Supervisory authority Article 52: Independence Article 53: General conditions for the members of the supervisory authority Article 54: Rules on the establishment of the supervisory authority Article 55: Competence Article 56: Competence of the lead supervisory authority Article 57: Tasks Article 58: Powers Article 59: Activity reports Chapter 7: Cooperation and consistency Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned Article 61: Mutual assistance Article 62: Joint operations of supervisory authorities Article 63: Consistency mechanism Article 64: Opinion of the Board Article 65: Dispute resolution by the Board Article 66: Urgency procedure Article 67: Exchange of information Article 68: European Data Protection Board Article 69: Independence Article 70: Tasks of the Board Article 71: Reports Article 72: Procedure Article 73: Chair Article 74: Tasks of the Chair Article 75: Secretariat Article 76: Confidentiality Chapter 8: Remedies, liability and penalties Article 77: Right to lodge a complaint with a supervisory authority Article 78: Right to an effective judicial remedy against a supervisory authority Article 79: Right to an effective judicial remedy against a controller or processor Article 80: Representation of data subjects Article 81: Suspension of proceedings Article 82: Right to compensation and liability Article 83: General conditions for imposing administrative fines Article 84: Penalties Chapter 9: Specific processing situations Article 85: Processing and freedom of expression and information Article 86: Processing and public access to official documents Article 87: Processing of the national identification number Article 88: Processing in the context of employment Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes Article 90: Obligations of secrecy Article 91: Existing data protection rules of churches and religious associations Chapter 10: Delegated and implementing acts Article 92: Exercise of the delegation Article 93: Committee procedure Chapter 11: Final provisions Article 94: Repeal of Directive 95: /46: /EC Article 95: Relationship with Directive 20: 02: /58: /EC Article 96: Relationship with previously concluded Agreements Article 97: Commission reports Article 98: Review of other Union legal acts on data protection Article 99: Entry into force and application

Legal Text

Article 15 - Right of access by the data subject

1. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:

(a) the purposes of the processing;

(b) the categories of personal data concerned;

(c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;

(d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;

(e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;

(f) the right to lodge a complaint with a supervisory authority;

(g) where the personal data are not collected from the data subject, any available information as to their source;

(h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

2. Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.

3. The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.

4. The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others.

Relevant Recitals

Recital 58: Modalities for Transparent Information Provision

The principle of transparency requires that any information addressed to the public or to the data subject be concise, easily accessible and easy to understand, and that clear and plain language and, additionally, where appropriate, visualisation be used. Such information could be provided in electronic form, for example, when addressed to the public, through a website. This is of particular relevance in situations where the proliferation of actors and the technological complexity of practice make it difficult for the data subject to know and understand whether, by whom and for what purpose personal data relating to him or her are being collected, such as in the case of online advertising. Given that children merit specific protection, any information and communication, where processing is addressed to a child, should be in such a clear and plain language that the child can easily understand.

Recital 59: Modalities for Facilitating Data Subject Rights

Modalities should be provided for facilitating the exercise of the data subject's rights under this Regulation, including mechanisms to request and, if applicable, obtain, free of charge, in particular, access to and rectification or erasure of personal data and the exercise of the right to object. The controller should also provide means for requests to be made electronically, especially where personal data are processed by electronic means. The controller should be obliged to respond to requests from the data subject without undue delay and at the latest within one month and to give reasons where the controller does not intend to comply with any such requests.

Recital 63: Modalities and Scope of Right of Access

A data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing. This includes the right for data subjects to have access to data concerning their health, for example the data in their medical records containing information such as diagnoses, examination results, assessments by treating physicians and any treatment or interventions provided. Every data subject should therefore have the right to know and obtain communication in particular with regard to the purposes for which the personal data are processed, where possible the period for which the personal data are processed, the recipients of the personal data, the logic involved in any automatic personal data processing and, at least when based on profiling, the consequences of such processing. Where possible, the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to his or her personal data. That right should not adversely affect the rights or freedoms of others, including trade secrets or intellectual property and in particular the copyright protecting the software. However, the result of those considerations should not be a refusal to provide all information to the data subject. Where the controller processes a large quantity of information concerning the data subject, the controller should be able to request that, before the information is delivered, the data subject specify the information or processing activities to which the request relates.

Recital 64: Identity Verification

The controller should use all reasonable measures to verify the identity of a data subject who requests access, in particular in the context of online services and online identifiers. A controller should not retain personal data for the sole purpose of being able to react to potential requests.

Commentary

Article 15 GDPR provides for the data subject's right to request access to their data from the controller. The right to access is also explicitly named as a fundamental right in Article 8(2) CFR; therefore, it is important that it is interpreted in the light of the Charter and the principle of proportionality in Article 52(1) CFR.^[1]

Just like the general principle of transparency in Article 5(1)(a) GDPR and the controller's information obligations under Article 13 and 14 GDPR as well as the other transparency provisions, the right to access is meant to overcome "informational imbalance" (i.e. the fact that the controller has much more knowledge about the processing of the data subject's data than the data subject themself). Similarly, the right of access is supposed to enable data subjects to assess the lawfulness of the processing of their data and to effectively exercise their rights under the GDPR.^[2]

Passive ex-post information about the personal data of the specific data subject

The data subjects' right to request access to their data constitutes a passive obligation to the controller that must only be granted if a data subject makes a respective request.^[3] While the controller's information obligations under Articles 13 and 14 GDPR provide for a more generic ex-ante information, Article 15 GDPR is meant to provide the data subject with more detailed and specific information on an ex-post basis.^[4]

In other words: the right to information under Articles 13 and 14 GDPR provide a (generic) forward-looking information of expected or possible processing - usually in a uniform way for all users of the service, which must be provided proactively by the controller. The right to information is therefore naturally more generic and less precise. The right to access however, allows the data subject to get information on the actual processing of its specific personal data and its specific situation, which does not only enable the data subject to exercise its rights (see especially Articles 16 to 22 GDPR) but also allows to check if the controller has complied with the ex-ante information provided under Articles 13 or 14 GDPR.^[5]

Pursuant to Article 12(2) GDPR, the response by the controller on those rights shall be individually tailored to the case of the data subject and relate to the processing operations concerned. Information on rights that are not applicable for the data subject in the specific situation should be avoided

EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.1), margin number 119.

While the wording of Articles 13 or 14 GDPR and Article 15(1) GDPR often overlaps, the controller has a different obligation under Article 15 GDPR; to include the ex-post information about concrete, actual processing. If the information under Articles 13 or 14 GDPR and Article 15 GDPR would be the same information, Article 15(1) GDPR would be largely deprived of any meaning. A mere reference to the information under Articles 13 or 14 GDPR would therefore not be sufficient.

For example: A large platform lists all possible processing operations, purposes and recipients. Many of these elements are only relevant for users that use certain functions of the platform. If the controller responds to an access request under Article 15 GDPR, just referring to the privacy policy for information under Article 15(1) GDPR would neither be transparent nor accurate. It would not allow the data subject to understand if its personal data was actually used for certain purposes or shared with third parties.

Basis for the exercise of other rights, but intention irrelevant

The possibility to receive consistent, reliable, complete and updated information regarding processing activities allows individuals to obtain and increase their awareness of any relevant processing operations, exercise practical control over their data, and scrutinise the accuracy and lawfulness of data processing operations.^[6] The right to access is therefore a prerequisite to exercising data subjects' rights (rectification, erasure, restriction, etc.) and is a key principle of the entire data protection framework.^[7]

The right to access is however also a "stand-alone" fundamental right, protected under Article 8(2) CFR. A data subject may just want to get information about the data processed about them- independent of the exercise of any other right under the GDPR. A data subject therefore does not need to give reasons for exercising the right to access. Even if they did, the controller does not have the jurisdiction to assess underpinning motives.^[8]

"[C]ontrollers should not assess “why” the data subject is requesting access, but
only “what” the data subject is requesting (see section 3 on the analysis of the request) and whether they hold personal data relating to that individual (see section 4). Therefore, for example, the controller should not deny access on the grounds or the suspicion that the requested data could be used by the data subject to defend themselves in court in the event of a dismissal or a commercial dispute with the controller."

EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.1), margin number 13.

Also, the CJEU held that the motive of the data subject is irrelevant when requesting access to their personal data processed by the controller. In C‑307/22 FT and DW a data subject used Article 15 GDPR to get (free) access to its own health records. The controller alleged that the access request was not made for the purpose of exercising (other) GDPR rights, but to get a copy of health records, which is usually subject to a charge. The CJEU held that the right to get a free copy of ones personal data is independent of the intent purpose for which the personal data is used and the controller must grant access.^[9]

"Article 12(5) and Article 15(1) and (3) of the GDPR must be interpreted as meaning that the controller is under an obligation to provide the data subject, free of charge, with a first copy of his or her personal data undergoing processing, even where the reason for that request is not related to those referred to in the first sentence of recital 63 of that regulation."

[[1]], margin number 52.

For example: A film maker made an access request to CCTV footage showing her walk around London. She had other actors be in front of the CCTV cameras and used the footage to make an entire movie from CCTV footage collected via the right to access. Tilda Swinton narrated the otherwise silent CCTV footage published in 2007.^[10] Her use of the right to access to get a copy of CCTV footage may have been tedious, but the use of personal data for a movie (criticising surveillance) was maybe exceptional but legal.

Consequently, a data subject can also make an access request under Article 15 GDPR for any other purpose - such as to generate evidence for a legal procedure. Even if many EU Member States' procedures do not know the concept of "discovery" (as common in the US), data subjects may use the right to access for any purpose they wish. In fact, the controller may equally rely on personal data as evidence under Article 6(1)(f) GDPR. The use of Article 15 GDPR to obtain evidence would still be used to overcome "informational imbalance" in such cases.^[11]

Relationship with other rights to access information

Other EU or national legislation may provide for additional rights to access information. Such rights may come in many forms, such as procedural law (allowing access to documents in a procedure), freedom of information laws (allowing access to government files) or specific sectoral laws, such as laws concerning access to health data or archives. Unless other EU or national law is explicitly a lex specialis in relation to the GDPR - usually in the form of a Restriction under Article 23 GDPR - these other rights exist in parallel to the GDPR. This means a data subject may freely choose to rely on Article 15 GDPR or any other legal basis available to it.^[12]

WP29 and EDPB Guidelines: For this Article, see the following Guidelines:

WP29, ‘Guidelines on Transparency under Regulation 2016/679’, 17/EN WP260 rev.01, 11 April 2018 (available here); and
EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.1) (available here).

(1) The Right of Access

Article 15(1) GDPR describes the core of the data subject's right of access. It provides for the controller the obligation to (i) confirms whether or not personal data of the data subject are processed, and, if that is the case, (ii) provide access to the personal data (in other words, a copy of the personal data "undergoing processing" under Article 15(3) GDPR or other relevant method to achieve the purpose), and (iii) inform the data subject about certain elements of the processing (Article 15(1)(a-h) and 15(2) GDPR).

Therefore, once the access request is received, the controller must first verify whether processing of the data subject's personal data is actually taking place and if so, provide the required information to the data subject.

When providing any of this information to the requesting data subject, the controller has to comply with the formal requirements set forth in Article 12 GDPR, in particularly, the information must be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language. In this regard, it is particularly important, that the information provided by the controller is complete.^[13]

It should be pointed out that, as made clear in Recital 60 GDPR, the controller should provide data subjects with any further information if it is necessary to ensure a fair and transparent processing. For example, the EDPB pointed out that a controller should provide data subjects with information about the legal basis for the processing or at least point out where this information can be found when responding to an access request.^[14]

Right to obtain

The data subject has a right to obtain (i.e. request) information. Typically the right to access under Article 15 GDPR is triggered by an access request by the data subject. The GDPR does not impose any requirements regarding the form of the request by which the data subject or their authorised representative exercises the right of access.^[15]

The data subject may define the scope of their request and the format of the request. In other words, the data subject may make a general request, including all the elements just mentioned, or limit the scope of the inquiry, e.g. by requesting only a copy of its data or only some elements of the list in Article 15(1)(a-h) GDPR.

"Any limitation of the scope of a request to a specific provision of Art. 15 GDPR, made by the data subjects, must be clear and unambiguous. For example, if the data subjects require verbatim “information about the data processed in relation to them”, the controller should assume that the data subjects intend to exercise their full right under Art. 15(1) – (2) GDPR. Such a request should not be interpreted as meaning that the data subjects wish to receive only the categories of personal data that are being processed and to waive their right to receive the information listed in Art. 15(1)(a) to (h)."

EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.1), margin number 51.

Given that the controller must facilitate a request under Article 12(2) GDPR and most data subjects will have limited knowledge about the right to access, the controller may not take an overly formalistic approach to a request. The data subject must not explicitly rely on Article 15 GDPR, but may use laymen's terms to make a valid request. The request must not specify specific personal data or a specific reason for the exercise of the right to access. If the request is unclear, the controller shall ask the data subject to specify what processing activities the request relates to or for further information to identify the relevant data.^[16]

The data subject has the right to make "blanket" requests for any personal data held about him or her. The controller may suggest a limitation - also in the interest of a prompt response - but if the data subject nonetheless requests access to all their personal data, the controller has to provide this information,^[17] as confirmed by the EDPB^[18] and national courts.^[19]

For example: On all help pages of a controller that deal with the right to access, data subjects are referred to an online form to "request a copy". If the form is filled out, the data subject gets a ZIP file with some, but not all, personal data. Other information under Article 15(1) and (2) GDPR is not provided at all. During the complaints procedure the controller argues that the data subject only made a "request for a copy" not a "request under Article 15 GDPR". The controller clearly violated Article 5(1)(a) and 12(1) GDPR.

From the controller

The addressee of the obligation to provide access is the controller within the meaning of Article 4(7) GDPR, namely the entity which determines the purposes and means of the processing. However, the object of an access request may include processing activities performed by a processor on behalf of the controller. In this case, the duty to respond to the access request stays with the controller.^[20]

Confirmation as to ‘whether’ or not personal data are being processed

The initial step for data subjects when requesting access to their personal data is to determine whether or not the controller processes any data concerning them. The search for personal data should be performed on all the paper and computer records where personal data are being processed, including the controller's back-up systems. If the controller does process data related to the requesting data subject, it confirms the existence of processing operations, but the controller should respond even if no personal data are processed.^[21]

"Where the controller does not process personal data relating to the data subject requesting the access, the information to be provided would be limited to confirming that no personal data relating to the data subject are being processed. Where the controller does process data relating to the requesting person, the controller must confirm this fact to this person. This confirmation may be communicated separately, or it may be encompassed as part of the information on the personal data being processed "

EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.1), margin number 18.

Access to personal data

In general terms, "access" refers to the set of actions that a controller takes to show the data subject the data undergoing processing. The right to access is meant to give access to the personal data itself, not a description of the processing.^[22] Generally, access to the personal data is granted by providing a copy of the personal data under Article 15(3) GDPR to the data subject.^[23]

"[T]he notion of a copy has to be interpreted in a broad sense and includes the different kinds of access to personal data as long as it is complete (i.e. it includes all personal data requested) and possible for the data subject to keep. Thus, the requirement to provide a copy means, that the information on the personal data concerning the person who makes the request is provided to the data subject in a way which allows the data subject to retain all of the information and to come back to it."

EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.1), margin number 25.

Under certain circumstances, it may be more adequate to offer alternative methods of data access instead of providing a copy. These temporary access modes may include verbal communication, file inspection, or remote/on-site access that allow to see the personal data in a user interface. Such methods may be appropriate in situations where the data subject's interests are at stake or if they specifically request it. On-site access could also serve as an initial step when a large volume of non-digital data is being processed, enabling the data subject to understand which personal data is being processed and make an informed decision regarding which data they want to obtain through a copy.^[24]

Non-permanent ways of access can be sufficient and adequate in certain situations; for example, it can satisfy the need of the data subjects to verify that the data processed by the controller are correct by giving data subjects a chance to view the original data. A controller is not obliged to provide the information through other ways than providing a copy but should take a reasonable approach when considering such a request. Giving access through other ways than providing a copy does not preclude the data subjects from the right to also have a copy, unless they choose not to.

EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.1), margin number 133.

The scope of the right to access includes all "personal data" as defined in Article 4(1) GDPR and includes all information in relation to a data subject, no matter in which system, format or way the personal data is processed. It also covers information that is stored in other means than automated means, if the personal data is stored or intended to be stored in a "filing system" within the meaning of Article 4(6) GDPR. See also Article 2(1) GDPR on the scope of the GDPR when it comes to non-automated filing systems.^[25]

For example: A hospital keeps paper records in a paper filing system. The right to access applies here as well. This also includes document that were not yet filed, but are intended to be filed in the paper filing system. However, a sticky note on the desk of the doctor that is not intended to end up in the filing would not be covered.

According to the EDPB, this includes, inter alia, special categories of personal data (Article 9 GDPR); personal data relating to criminal convictions and offenses (Article 10 GDPR); data knowingly and actively provided by the data subject (e.g. account data submitted via forms, answers to a questionnaire); observed data or raw data provided by the data subject by virtue of their use of the service or device (e.g. data processed by connected objects, transactional history, activity logs such as access logs, browsing history, search activities, location data, clicking activity, unique aspects of a person’s behaviour such as handwriting, keystrokes, or particular way of walking and speaking); data derived from other data, rather than directly provided by the data subject (e.g. credit score, classification based on common attributes of data subjects; country of residence derived from postcode); data inferred from other data, rather than directly provided by the data subject (e.g. to assign a credit score or comply with anti-money laundering rules, algorithmic results, results of a health assessment or a personalisation or recommendation process).^[26] Equally, data that relates to multiple persons (e.g. the fact that a data subject is on a list of "high performers") also relates to the individual person.^[27]

To be included in the copy, the data must be undergoing processing. Deleted data or data that was anonymised does not constitute personal data anymore and does not fall under Article 15(1) GDPR. However, there is no exception for archived personal data, data in a "trash" folder, pseudonymised personal data or is otherwise hard to retrieve.^[28]

In fact, also some "meta" information that must be provided under Article 15(1) GDPR, such as the recipients or sources of personal data, may itself constitute "personal data". For example, the information that a certain data subject's information was transferred to another entity is regularly stored in the form of "personal data" (i.e. information relating to an identified or identifiable natural person) by the controller. The data subject may rely on either provision and may access the information as "personal data" or as "information" under Article 15(1) GDPR.

Timing

The right to access covers information at the time the request is made.^[29] This means that a controller must be able to freeze or copy personal data quickly, if a system may delete information during the period it takes to respond to an access request. The controller may not delete information to avoid an accurate response.^[30] As a matter of transparency, controllers should add any additional information that may have been added in the time between the receipt of the access request and the provision of a response to the data subject.

For example: A controller deletes all personal data within 7 days to comply with the principle of storage limitation in Article 5(1)(e) GDPR. The controller must be able to copy the data within that time and cannot simply have the automatic deletion frustrate the right to access.

In some cases, the requirement to give access before information is deleted (e.g. when CCTV footage is only stored for 48h) can be challenging for a controller. In such a case, the controller should implement measures that ensures its capabilities timely prevent the deletion of data covered by an access request.

Identification and authentication

The data subject must provide the necessary information to ensure identification (see Article 12(2) GDPR) of the personal data and authentication of the request (see Article 12(6) GDPR). Before providing access, the controller must take all necessary steps to verify the identity of the data subject to comply with its obligations under Articles 32 GDPR. Obviously the risk of abuse of the right to access is more relevant than exercising the right to object to direct marketing in Article 21(2) GDPR. Consequently, the controller may have to take a stricter approach under Article 15 GDPR. The disclosure of personal data to a different person would usually qualify as a data breach under Article 34 GDPR.^[31]

However, the controller shall not use this requirement to hinder the exercise of the right of access.^[32] A controller must strike a balance between adequate security under Article 32 GDPR and not requesting disproportionate information from data subjects, given that they must facilitate the exercise of such right within the meaning of Article 12(2) GDPR and may not violate the data minimisation principle, when requested identification or authentication (e.g. a copy of an ID) is not necessary.^[33]

For example: When the data subject used an email address to create an account on an online-platform and uses the same email address to request access to their data processed by that online platform in connection to their account, the controller can usually have no reasonable doubt as to their identity. The request of an ID by the data subject would be a violation of the controller’s obligation to facilitate the data subject’s right of access.

See more information under Article 12(6) GDPR.

Additional information under Article 15(1)(a) to (h)

Under Article 15(1)(a) to (h) GDPR, the controller is obliged to provide the data subject certain information about the processing. In accordance with Article 12 GDPR, this information must be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language. Most of the information elements in Article 15(1)(a) to (h) are similar but not identical to Article 13 and 14 GDPR. E.g. under Article 13 GDPR, the controller must provide a description of what he intends to do after obtaining the user data: (c) purposes of the processing for which personal data are intended; (e) recipients or categories of recipients, if any; (f) the fact that the controller intends to transfer personal data; (2)(e) possible consequences of failure to provide such data. The wording of Article 15 is significantly different because it no longer refers to the controller's future intentions, but to what the controller actually currently does with the previously received data: (1)(a) purpose of the processing (not intended purposes); (1)(b) categories of personal data concerned (not, if any); (1)(c) recipients or categories of recipients to whom the personal data have been disclosed or will be disclosed. These are two different perspectives. Articles 13 and 14 give an indication of what is going to happen, while Article 15 provides a specific indication of what is currently happening with the personal data.

But controllers should avoid referencing to the ex-ante information in those Articles. While in some cases the ex-ante information overlaps with the ex-post information exactly,^[34] in most cases, factually correct information under Article 15(1)(a) to (h) GDPR requires a tailored response. Overall, the controller ensures that the information is factually accurate and up-to-date with respect to the data subject's request.^[35]

"In the context of an access request under Art. 15, any information on the processing available to the controller may therefore have to be updated and tailored for the processing operations actually carried out with regard to the data subject making the request. Thus, referring to the wording of its privacy policy would not be a sufficient way for the controller to give information required by Art. 15(1)(a) to (h) and (2) unless the « tailored and updated » information is the same as the information provided at the beginning of the processing."

EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.1), margin number 113.

(a) Purposes of the processing

Under Article 15(1)(a) GDPR, the controller must communicate the individual purposes of the processing pursued by the controller with regard to a given data subject. The ex-ante information obligation of the controller provides for a similar provision under Article 13(1)(c) and/or 14(1)(c) GDPR. Article 15(1)(a) GDPR requires that the same information about the purpose of the processing is provided, but from a factual ex-post perspective. Just like under Article 13(1)(c) GDPR the information must be linked to the specific personal data that the controller grants access to.^[36] A mere list of purposes is not sufficient. See more details under Article 13(1)(c) GDPR.

For example: The privacy policy mentions that certain personal data could be processed for various different purposes. However, the specific data subject's personal data was only found in the newsletter system of the controller. Therefore, the factually accurate information would be that the personal data was only used for direct marketing. To ensure that the information is useful, the controller must explain which data was used for which purpose.

However, other than Article 13(1)(c) and 14(1)(c) GDPR this provision does not contain an obligation to mention the legal basis tied to each single purpose.^[37] A logical interpretation may be that the legislator would expect a controller not to change the legal basis or at least inform data subjects about such a change instantly under Article 13(1)(c) and/or 14(1)(c) GDPR. Since the information about the legal basis is necessary for the data subject in order to assess the lawfulness of the processing activity, the controller should always provide this information in addition to the purposes for which the data is processed.^[38] This is particularly true if there is any divergence from the initial information provided under Article 13 or 14 GDPR, in order to ensure accurate and transparent information in line with Article 12 GDPR, as it would otherwise be impossible for the data subject to verify the lawfulness of a certain processing operation.^[39]

In order to facilitate the exercise of data subjects’ rights in line with Article 12(2) GDPR, the controller is recommended to also inform the data subject as to the applicable legal basis for each processing operation or to indicate where they can find this information. In any event, the principle of transparent processing requires that the information on the legal bases of the processing be made available to the data subject in an accessible way (e.g. in a privacy notice).

EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.1), margin number 114.

(b) Categories of personal data concerned

Just like the ex-ante information in Article 14(1)(d) GDPR, Article 15(1)(b) GDPR requires controllers to disclose the categories of personal data involved in the processing. While a data subject also receives access to the specific information that is processed, the information about the categories of personal data can provide the data subject with a transparent overview of the processed data. This can be particularly helpful in case of large processing activities involving vast quantities of the data subject's personal data.^[40] Further, a data subject could also potentially limit its request to only a list of categories in order to grasp the basic functionality of a processing activity.^[41]

For further details see commentary on the similar ex-ante provision Article 14(1)(d) GDPR.

(c) Recipients or categories of recipients

Similar to the ex-ante information in Article 13(1)(e) and 14(1)(e) GDPR, Article 15(1)(c) GDPR requires the controller to disclose information about "recipients or categories of recipients" to whom the personal data have been or will be disclosed. This provision does not give controllers a free choice whether to only disclose categories of recipients or specific recipients. The data subject can therefore request a list of the actual recipients, unless this is not available to the controller.^[42]

"[...] Article 15(1)(c) of the GDPR must be interpreted as meaning that the data subject’s right of access to personal data concerning him or her, provided for by that provision, entails, where those data have been or will be disclosed to recipients, an obligation on the part of the controller to provide the data subject with the actual identity of those recipients, unless it is impossible to identify those recipients or the controller demonstrates that the data subject’s requests for access are manifestly unfounded or excessive within the meaning of Article 12(5) of the GDPR, in which cases the controller may indicate to the data subject only the categories of recipients in question."

CJEU - C-154/21 - Österreichische Post (Information regarding the recipients of personal data), margin number 51.

For example: In its privacy policy, a credit information agency affirms that the user's personal data can be passed on to “customers that access your information to obtain credit information”. This information is in acceptable as a forward-looking statement in a privacy policy when it is unclear which customers may access the information in the future. However, once the controller knows from the log files or accounting information that three specific online shops have bought the data, the name of the recipients must be disclosed under Article 15(1)(c).

This interpretation is also strengthened by Article 19 GDPR, which requires the controller to “inform the data subject about [the specific] recipients if the data subject requests it”.^[43]

It should also be pointed out that Articles 24 and 25 GDPR generally require the controller to implement measures enabling it to understand which personal data was provided to which recipient (e.g. in order to ensure that the data subject has a transparent and clear picture about the sharing of his or her personal data).
In addition to the specific recipients that received the data subject's personal data, the controller has to provide information on any potential future recipients.^[44] See commentary on Article 13(1)(e) GDPR.
The information about the recipients of personal data do not contain the information about specific employees of the controller handling the data subject's data when they process personal data under the authority of that controller and in accordance with its instructions.^[45] However, if employees process the data excessively for their own purposes they would constitute a recipient in the sense of Article 4(9) GDPR.^[46] For processors qualification as recipients see commentary on Article 13(1)(e) GDPR.

(d) Data retention period

Similar to the ex-ante information in Article 13(2)(a) and 14(2)(a) GDPR, Article 15(1)(d) GDPR requires the provision of information on the intended period of time for which personal data will be stored, whenever possible. If not possible, the criteria used to determine the period must be provided instead. See commentary on Article 13(2)(a) GDPR.

The information provided by the controller must be specific enough for the data subject to be aware of the duration of storage with regard to their personal data. In case it is not feasible to specify the deletion time, the storage duration and its starting point or triggering event (such as the end of a contract or expiration of a warranty period) should be specified.^[47]

"The mere reference, for example to "deletion after expiry of the statutory storage periods" is not sufficient. Indications concerning data storage periods will have to focus on the specific data relating to the data subject. If the personal data of the data subject is subject to different deletion periods (e.g. because not all data is subject to legal storage obligations), the deletion periods shall be stated in relation to the respective processing operations and categories of data."

EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.1), margin number 118.

(e) Existence of rights

Similar to the ex-ante information in Article 13(2)(b) and 14(2)(c) GDPR, Article 15(1)(e) GDPR the controller is required to inform the data subjects about their right to rectification, erasure or restriction of processing and about their right to object to the processing of their personal data. This information should be tailored to the specific position of the data subject and refer to the ongoing processing operations. If a right is not applicable in the specific case (e.g. no right to objection due to the legal basis of the processing activity) the information about that right should be avoided in order to provide the data subject with suitable information.^[48]

It is unclear why some rights (withdrawal of consent, data portability) that are mentioned in Article 13 and 14 GDPR are not mentioned in Article 15 GDPR. If applicable, controllers should provide data subjects with information about these rights anyway in order to ensure a transparent processing activity and to facilitate data subjects rights as required in Article 12 GDPR.^[49]

(f) Right to lodge a complaint

Similar to the ex-ante information in Article 13(2)(d) and 14(2)(e) GDPR, Article 15(1)(f) GDPR requires controllers to inform the data subject about the possibility to lodge a complaint with "a supervisory authority". This information does not require any kind of personalisation, given that a data subject can file a complaint with any authority under Article 77 GDPR. See commentary on Article 13(2)(d) GDPR.

(g) Any available information on the source of the personal data

This provision is the ex-post counterpart to the controllers' information obligation in case personal data are not collected from the data subject in accordance with Article 14(2)(f) GDPR. This provision requires the data controller to inform the user about the actual individual sources from which their specific personal data have been collected, in case the personal data are not collected from the data subject directly. Just like under Article 14(2)(f) GDPR a source may be third party (like a data broker) or a technical source (like a camera). See commentary on Article 14(2)(f) GDPR.

"According to Art. 15(1)(g), “any available information” as to the source of the data has to be provided, where the personal data are not collected from the data subject. The degree of available information may change over time."

EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.1), margin number 120.

Similar to the information about recipients (see above, Article 15(1)(c) GDPR), the information about data sources should enable the data subjects to enforce their rights under the GDPR against the controller as well as against the data source directly.^[50]

The usage of the wording "any available information" suggests a high degree of specificity required in relation to the sources from which the controller has obtained the data. Therefore, it is not always sufficient to provide information on the identity on the sources but the information should include the means of the collection of data.^[51] Further, the controller must explain which personal data is obtained from what source. A mere list of all sources, without explaining which specific personal data was obtained from each source, is not transparent and is considered insufficient.

In comparison to Article 14(2)(e) GDPR it is unclear how the additional element of "any available" information must be understood. In comparison with the requirement to take "appropriate measures" under Article 12(1) GDPR, it seems that Article 15(1)(c) GDPR goes further. "Any available" information would, for example, also include knowledge of employees, information that can be derived from business records (e.g. the sale of personal data) and alike. In any way, "any available information" should not be understood in meaning that the controller is not required to store information about the sources of personal data and can therefore easily dispose of this obligation by deleting the information.^[52] Rather, the controller is generally obliged to make sure it has this information available.^[53]

(h) Information about automated decision-making

Article 15(1)(h) GDPR provides for a right to information about:

the existence of automated decision-making, including profiling, referred to in Article 22 GDPR;
meaningful information about the logic involved; as well as
the significance and the envisaged consequences of such processing for the data subject.

This provision uses the same language as Article 13(2)(f) and 14(2)(g) GDPR. See commentary on Article 13(2)(f) for more details.

But just like with all other information under Article 15 GDPR, the information would have to relate to the specific processing of the data subject (i.e. the automated decision or profiling it was subjected to). Therefore Article 15(1)(h) GDPR provides for the right to an explanation regarding a specific decision the data subject was subject to.^[54]

"Article 15(1)(h) of the GDPR affords the data subject a genuine right to an explanation as to the functioning of the mechanism involved in automated decision-making of which that person was the subject and of the result of that decision.

[...]

‘meaningful information about the logic involved’ [...] must describe the procedure and principles actually applied in such a way that the data subject can understand which of his or her personal data have been used in the automated decision-making at issue, with the complexity of the operations to be carried out in the context of automated decision-making not being capable of relieving the controller of the duty to provide an explanation."

CJEU - C‑203/22 - Dun & Bradstreet Austria, margin number 57 and 61.

Furthermore due to the direct reference to Article 22 GDPR, it can be concluded that, in the case of relevant automated decisions under Article 22(1) GDPR, the provision also covers explanations of any safeguards provided for in Article 22(3) GDPR.

"[I]n the specific context of the adoption of a decision based solely on automated processing, the main purpose of the data subject’s right to obtain the information provided for in Article 15(1)(h) of the GDPR is to enable him or her to effectively exercise the rights conferred on him or her by Article 22(3) of that regulation, namely the right to express his or her point of view on that decision and to contest it."

CJEU - C‑203/22 - Dun & Bradstreet Austria, margin number 55.

The information should at least include details on the procedure and principles actually applied in order to obtain a specific result.^[55] The provision of the algorithm itself (i.e. a complex mathematical formula) will not satisfy the requirements set out in Article 12 GDPR, stipulating that the communication must be provided by means of relevant information and in a concise, transparent, intelligible and easily accessible form.^[56]

(2) Right to receive information about the appropriate safeguards

Similar to the ex-ante information in Article 13(2)(f) and 14(2)(f) GDPR, Article 15(2) GDPR requires that in case the controller transfers data to a third country or international organisation, the data subject has the right to be informed of the appropriate safeguards pursuant to Article 46 GDPR relating to the transfer.

While it is argued that this obligation is not applicable in case of an adequacy decision under Article 45 GDPR or regarding other means mentioned in Article 13(2)(f) and 14(2)(f) GDPR, a controller should provide information on the specific transfer mechanism used similarly to the initial information obligation.^[57]

(3) Right to receive a copy of the personal data

Article 15(3) GDPR constitutes the right to receive a copy of all personal data undergoing processing. This obligation is to be understood not as a separate right, but as the modality of how the personal data mentioned in Article 15(1) GDPR has to be provided to the data subject.^[58]

Such a requirement to provide a copy strengthens the right of access under Article 15(1) GDPR and means that the information on the personal data concerning the person who makes the request is provided to the data subject not just as a report by the controller, but as a "faithful reproduction" of the original.^[59] It also allows the data subject to retain all provided personal data, keep it and to come back to it.

"The obligation to provide a copy serves the objectives of the right of access to allow the data subject to be aware of, and verify the lawfulness of the processing"

EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.1), margin number 24.

Personal data undergoing processing

The scope of the provision reflects the definition of personal data provided for in Article 4(1) GDPR and has the same meaning as in Article 15(1) GDPR.^[60]

Copy

The definition of "copy" was debated in legal doctrine and jurisprudence.^[61] In summary, on one hand, it was argued that a copy is a document, whether analog or digital, created by extracting information from other documents or systems in use (such as email clients, meeting minutes, or data system files related to the data subject). On the other hand, it was claimed that a copy should, where possible, be an exact reproduction of the original document itself (such as an email or meeting minutes).^[62] The matter is largely clarified by the CJEU now.

"15(3) of the GDPR must be interpreted as meaning that the right to obtain from the controller a copy of the personal data undergoing processing means that the data subject must be given a faithful and intelligible reproduction of all those data. That right entails the right to obtain copies of extracts from documents or even entire documents or extracts from databases which contain, inter alia, those data, if the provision of such a copy is essential in order to enable the data subject to exercise effectively the rights conferred on him or her by that regulation, bearing in mind that account must be taken, in that regard, of the rights and freedoms of others."

CJEU - C-487/21 - Österreichische Datenschutzbehörde and CRIF, margin number 45.

The CJEU shows a certain flexibility in the interpretation of the notion of "copy". A copy can be described as a "faithful reproduction or transcription of an original” in opposition to a “purely general description” of data. Therefore, in principle, Article 15(3) covers extracts from documents or even entire documents or extracts from databases.^[63] However, due to the teleological interpretation adopted by the court, what a controller is obliged to provide ultimately depends on the principle of effectiveness.

It is crucial that the data subject is given the information in a durable, tangible form (such as text or electronic format) that can be stored and retrieved for future reference.^[64]

Especially, when personal data is contained in documents that also contain other matters, such as a list of "low performers" or an email with information about the data subject, the context of the document may be more relevant than the "raw" personal data (e.g. only the name contained in the document). In light of Article 12 GDPR, the context should be provided as far as possible, to ensure a transparent and accurate response to an access request.

The controller can, although is not necessarily obliged to, provide the documents which contain personal data about the data subjects making the request in their original form. [...] This, however, does not mean that the data subject always has the right to obtain a copy of the documents containing the personal data, but an unaltered copy of the personal data being processed in these documents.

EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.1), margin number 152.

Regardless of the manner in which the personal data is provided by the controller, whether through the original documents or a compilation of the data, the information should still adhere to the transparency standards specified in Article 12 GDPR. In certain situations, compiling and/or extracting the data in a comprehensible manner may be a means of complying with these standards. On the other hand, in some cases, it may be more effective to provide a copy of the actual document containing the personal data to facilitate better understanding. Therefore, the appropriate form of information provision must be determined on a case-by-case basis.^[65]

In some cases, the personal data itself sets the requirements in what format the personal data should be provided. For example, when the personal data constitutes handwritten information by the data subject, the data subject may need to be provided with a photocopy of that handwritten information, as the handwriting itself is personal data. That could especially be the case when the handwriting is something that matters to the processing, e.g. scripture analysis. The same applies in general for audio recordings because the voice of the data subject itself is personal data. In some cases, however, access can be given by providing a transcription of the conversation, for example, if agreed upon between the data subject and the controller.

EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.0), martin number 155.

Further copies

The second sentence of Article 15(3) GDPR regulates cases where the data subject requests an additional copy of the same personal data.^[66] In such circumstances, the controller may charge a reasonable fee based on the costs of administration.^[67]

"At the same time, the fee should be appropriate, taking into account the importance of the right of access as a fundamental right of the data subject. The controller should not pass on overhead costs or other general expenses to the data subject, but should focus on the specific costs that where caused by providing the additional copy. When organising this process the controller should deploy its human and material resources efficiently in order to keep the costs of the copy low, including if the controller involves external support.

In case the controller decides to charge a fee, the controller should indicate in advance that a fee will be charged and – as accurately as is possible - the amount of costs it is planning to charge to the data subject in order to give the data subject the possibility to determine whether to maintain or to withdraw the request."

EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.1), margin number 30 et seq.

It should be noted that this regulates a different case than Article 12(5) GDPR which provides for the controller's option to charge a reasonable fee in case of manifestly unfounded or excessive requests. Article 15(3) GDPR allows to charge a reasonable fee for further copies even if these requirements in Article 12(5) GDPR are not met.^[68]

A further copy should not be confused with a new request under Article 15 GDPR for personal data. Rather, this case handles the request of further copies of the same copy of personal data already provided by the controller.^[69]

Request by electronic means

The GDPR does not impose any requirements on data subjects regarding the form of the request for access to the personal data. Regardless, under Article 15(3), third sentence, GDPR, if the data subject submits an access request electronically, the format of the "information" should be provided in a common electronic format, unless the data subject specifies a different format. This also implies that in the case of a paper application, copies must be made available in paper form, if requested by the data subject. Ultimately, the data subject should determine the format of the copies.^[70]

When determining the commonly used electronic form to provide information to a data subject, the controller should not rely solely on its own format but rather make an objective assessment. The assessment should consider whether there are specific formats commonly used in the controller's area of operation or in the given context. If there are no such formats, open formats set in an international standard such as ISO should generally be considered. However, the EDPB does not exclude the possibility of other formats being commonly used. When making this assessment, it is important to consider how easily the data subject can access the information in the provided format. The controller should provide information to the data subject on how to access a file in a specific format, including any programs or software that could be used to make it more accessible. The data subject should not be required to purchase software to access the information.^[71] If in doubt, a controller can ask the data subject as to the formats it can read. Most software also allows to export personal data in different formats or convert the file in multiple formats.

For example: Typical formats for a copy that can be opened by freely available reader software are CSV, PDF, HTML, OpenDocument file, Microsoft Word or Excel files. In certain areas, other formats may be common tool. A technically advanced data subject may prefer an XML or JSON format for raw data.

(4) Limitations of the right to a copy

The right to obtain a copy under Article 15(3) GDPR is constrained by Article 15(4) GDPR which states that the right to obtain a copy of personal data undergoing processing shall not adversely affect the rights and freedoms of others. The restriction applies to the copy of personal data processed by the controller and not to the information the controller has to disclose in accordance with Article 15(1)(a)-(h) GDPR.^[72]

Common mistake: Many readers think that the limitations in Article 15(4) GDPR also cover the information that must be provided under Article 15(1) and (2) GDPR. This is not accurate. Article 15(4) only refers to the right to obtain a copy in Article 15(3) GDPR.

However, restrictions in the right of access could also be provided by Union or Member State law in accordance with Article 23(1) GDPR (see below).^[73] For example, Article 15 GDPR might be restricted in order to protect trade secrets under Directive 2016/943.^[74]
Another exemption from the right to Article 15 GDPR in case of manifestly unfounded or excessive requests can be found in Article 12(5) GDPR (see commentary there).

Interpretation in the light of the Charter

Article 15(4) GDPR is drafted in rather absolute terms "shall not affect the rights and freedoms of others". However, the right to access it a fundamental right under Article 8(2) CFR and may only be limited in accordance with Article 52(1) CFR, which requires that any limitation must be "proportionate". Article 15(4) GDPR must therefore be interpreted in the light of the Charter, which leads to the conclusion that conflicting rights must be "balanced" against the right to access on a case-by-case basis.

"[I]n the event of conflict between, on the one hand, exercising the right of full and complete access to personal data and, on the other hand, the rights and freedoms of others, a balance will have to be struck between the rights in question. Wherever possible, means of communicating personal data that do not infringe the rights or freedoms of others should be chosen, bearing in mind that, as follows from recital 63 of the GDPR, ‘the result of those considerations should not be a refusal to provide all information to the data subject’."

CJEU - C-487/21 - Österreichische Datenschutzbehörde and CRIF, margin number 44.

Rights and freedoms of others

Under Article 15(4) GDPR, the right to obtain a copy shall not adversely affect the rights and freedoms of others. The specific rights and freedoms are not named. According to Recital 63 such conflicting rights include the right to data protection of others or trade secrets or intellectual property.^[75]

However, as affirmed by the Recital, the fact that conflicting rights are involved cannot not be an excuse to deny the right of access. The controller must instead find less intrusive options to provide as much information as possible, while still protecting the rights of others. Usually other information can be blackened, redacted or otherwise protected.

"[I]n the event of conflict between, on the one hand, exercising the right of full and complete access to personal data and, on the other hand, the rights and freedoms of others, a balance will have to be struck between the rights in question. Wherever possible, means of communicating personal data that do not infringe the rights or freedoms of others should be chosen, bearing in mind that, as follows from recital 63 of the GDPR, ‘the result of those considerations should not be a refusal to provide all information to the data subject’."

CJEU - C-487/21 - F.F. v DSB, margin number 44.

For example: If camera footage recorded more than one person, the right to access may be granted. The controller must anonymise any other data subjects in the footage.^[76]

Rights and freedoms of the controller

Article 15(4) GDPR only mentions the rights and freedoms of "others". This includes the rights and freedoms of the controller.

"'Others' means any other person or entity apart from the data subject who is exercising their right of access. Hence, the rights and freedoms of the controller or processor (in keeping trade secrets and intellectual property confidential for example) might be considered. If the EU legislator wanted to exclude controllers or processors rights and freedoms, it would have used the term 'third party', which is defined in Art. 4(10) GDPR."

EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.1), margin number 171.

Decisions

→ You can find all related decisions in Category:Article 15 GDPR

References

↑ Compare Knyrim, in Ehmann, Selmayr, DS-GVO, Article 15 GDPR, margin numbers 4 (C.H. Beck 2024, 3rd Edition).
↑ Ehmann, in Ehmann, Selmayr, DS-GVO, Article 15 GDPR, margin numbers 1 (C.H. Beck 2024, 3rd Edition).
↑ Bäcker, in Kühling, Buchner, DS-GVO BDSG, Article 15 GDPR, margin numbers 1 (C.H. Beck 2024, 4th Edition).
↑ Bäcker, in Kühling, Buchner, DS-GVO BDSG, Article 15 GDPR, margin numbers 1 (C.H. Beck 2024, 4th Edition).
↑ Compare Mester, in Taeger, Gabel, DSGVO - BDSG - TTSG, Article 15 GDPR, margin number 1 (C.H. Beck 2022, 4th Edition).
↑ Ehmann, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 15 GDPR, margin number 13 (C.H. Beck 2024, 3nd Edition); Mester, in Taeger, Gabel, DSGVO - BDSG - TTSG, Article 15 GDPR, margin number 1 (C.H. Beck 2022, 4th Edition).
↑ CJEU, Case C-553/07, College van burgemeester en wethouders v. Meerijkeboer, 7 May 2009, margin numbers 51–52 (available here). See also, CJEU, Joined Cases C-141/12 and C-372/12, YS and Others, 17 July 2014, margin number 57 (available here).
↑ As the EDPB puts it, "Given the broad aim of the right of access, the aim of the right of access is not suitable to be analysed as a precondition for the exercise of the right of access by the controller as part of its assessment of access requests. Thus, controllers should not assess “why” the data subject is requesting access, but only “what” the data subject is requesting (see section 3 on the analysis of the request) and whether they hold personal data relating to that individual (see section 4). Therefore, for example, the controller should not deny access on the grounds or the suspicion that the requested data could be used by the data subject to defend themselves in court in the event of a dismissal or a commercial dispute with the controller". See, EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.0), p. 10 (available here).
↑ CJEU, Case C-307/22, FT and DW, 26 October 2023, margin number 29 et seqq. (available here)
↑ See https://en.wikipedia.org/wiki/Faceless_(2007_film)
↑ Compare Bäcker, in Kühling, Buchner, DS-GVO BDSG, Article 15 GDPR, margin numbers 42e (C.H. Beck 2024, 4th Edition).
↑ Compare Ehmann, in Ehmann, Selmayr, DS-GVO, Article 15 GDPR, margin numbers 18 (C.H. Beck 2024, 3rd Edition).
↑ EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.1), margin number 35 (available here).
↑ EDPB, '1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 70 (available here).
↑ EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.0), margin number 50 (available here).
↑ Compare EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.0), margin number 50 (available here).
↑ EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.0), margin number 51 (available here); see also Zanfir-Fortuna, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 15 GDPR, p. 465 (Oxford University Press, Oxford, 2020). This approach is supported by, among others, the text of Recital 58 GDPR, which emphasises the importance of this right in cases such as online advertising, where the data subject may not even know what types of processing activities are carried out due to the technological complexity of the practice and the proliferation of actors.
↑ EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.0), margin number 51 (available here).
↑ For example, the District Court of the province North Holland (Netherlands) has held that where a data subject makes a non-specific, generally formulated access request to a data controller processing a large quantity of personal data, it is reasonable to expect the data controller to perform a search for the "most common" personal data (such as name, address, and social security number), in its "most common" data files and/or computer systems or applications. See, Rechtbank Noord-Holland, 18 June 2021, AWB - 20 _ 4638 (available here).
↑ EDPB, 'Guidelines 01/2022 on data subject rights - right of access', 28 March 2023, margin number 125 (available here)
↑ EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.1), margin number 18 (available here).
↑ EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.1), margin number 19 (available here).
↑ EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.1), margin number 24 (available here).
↑ EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.1), margin number 133 (available here).
↑ EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.1), margin number 92 (available here).
↑ EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.0), margin number 97 (available here).
↑ Haidinger, in Knyrim, DatKomm, Article 15 GDPR, margin numbers 31 (Manz 2024).
↑ Compare Haidinger, in Knyrim, DatKomm, Article 15 GDPR, margin numbers 33 (Manz 2024).
↑ Haidinger, in Knyrim, DatKomm, Article 15 GDPR, margin numbers 27 (Manz 2024).
↑ Haidinger, in Knyrim, DatKomm, Article 17 GDPR, margin numbers 18 (Manz 2024); for a more nuanced view regarding very data intensive processing activities see Haidinger, in Knyrim, DatKomm, Article 15 GDPR, margin numbers 27 (Manz 2024).
↑ Zanfir-Fortuna, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 15 GDPR, p. 460 (Oxford University Press, Oxford, 2020); see Commentary on Article 12(2) and (6) GDPR for more details.
↑ Agencia Española de Protección de Datos, 9 April 2021, R/00232/2021 (available here).
↑ Haidinger, in Knyrim, DatKomm, Article 15 GDPR, margin numbers 76 (Manz 2024); Data Protection Commission, 16 December 2020, Groupon International Limited (available here).
↑ For instance, the information on the right to lodge a complaint under Article 15(1)(f) GDPR does not differ from the one mandated under Article 13(2)(d) GDPR.
↑ EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.1), margin number 113 (available here).
↑ Bäcker, in Kühling, Buchner, DS-GVO BDSG, Article 15 GDPR, margin numbers 12 (C.H. Beck 2024, 4th Edition).
↑ Bäcker, in Kühling, Buchner, DS-GVO BDSG, Article 15 GDPR, margin numbers 13 (C.H. Beck 2024, 4th Edition).
↑ Dix, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 15 GDPR, margin numbers 18 (NOMOS 2025, 2nd Edition).
↑ Compare Bäcker, in Kühling, Buchner, DS-GVO BDSG, Article 15 GDPR, margin numbers 13 (C.H. Beck 2024, 4th Edition) arguing that data subjects can request this information when they can show a legitimate interest.
↑ Bäcker, in Kühling, Buchner, DS-GVO BDSG, Article 15 GDPR, margin numbers 14 (C.H. Beck 2024, 4th Edition).
↑ Compare Dix, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 15 GDPR, margin numbers 14 (NOMOS 2025, 2nd Edition).
↑ EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.0), margin number 117 (available here).
↑ Under Article 19 GDPR, the controller's obligation to notify the various recipients is due unless it is impossible or requires a disproportionate effort. This clause, however, does not refer to the obligation to inform the user about the identity of the recipients (final sentence). It follows that the controller is always obliged to provide such information (and therefore, pursuant to Article 24 GDPR, to implement systems with appropriate technical and organisational measures to achieve this).
↑ Dix, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 15 GDPR, margin numbers 20 (NOMOS 2025, 2nd Edition).
↑ CJEU, Case C-579/21, Pankki S, margin number 73 (available here).
↑ Dix, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 15 GDPR, margin numbers 20 (NOMOS 2025, 2nd Edition).
↑ EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.1), margin number 118 (available here).
↑ EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.1), margin number 119 (available here).
↑ Dix, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 15 GDPR, margin numbers 23 (NOMOS 2025, 2nd Edition); opposing opinion Bäcker, in Kühling, Buchner, DS-GVO BDSG, Article 15 GDPR, margin numbers 24 (C.H. Beck 2024, 4th Edition).
↑ Dix, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 15 GDPR, margin numbers 24 (NOMOS 2025, 2nd Edition).
↑ Dix, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 15 GDPR, margin numbers 24 (NOMOS 2025, 2nd Edition).
↑ Dix, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 15 GDPR, margin numbers 24 (NOMOS 2025, 2nd Edition).
↑ Compare Bäcker, in Kühling, Buchner, DS-GVO BDSG, Article 15 GDPR, margin numbers 26 (C.H. Beck 2024, 4th Edition).
↑ CJEU, Case C-203/22, Dun & Bradstreet Austria, 27 February 2025, margin number 57 et seq.
↑ CJEU, Case C-203/22, Dun & Bradstreet Austria, 27 February 2025, margin number 58.
↑ CJEU, Case C-203/22, Dun & Bradstreet Austria, 27 February 2025, margin number 58 et seq.
↑ Haidinger, in Knyrim, DatKomm, Article 15 GDPR, margin numbers 41 (Manz 2024); compare also Dix, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 15 GDPR, margin numbers 27 (NOMOS 2025, 2nd Edition).
↑ EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.1), margin number 23 (available here).
↑ CJEU, Case C-487/21, 4 May 2023, margin number 21 (available here); EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.0), margin number 23 (available here).
↑ EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.1), margin number 23 (available here).
↑ For a detailed overview of the different perspectives, we suggest Haidinger, in Knyrim, DatKomm, Article 15 GDPR, margin numbers 35-36 (Manz 2024).
↑ In the case where the data is originally contained in an electronic system, the copy will always come from an extraction process.
↑ CJEU, Case C-487/21, CRIF GmbH, 4 May 2023, margin number 21 (available here).
↑ See commentary on Article 12 GDPR on formal requirements.
↑ EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.0), margin number 153 (available here).
↑ Dix, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 15 GDPR, margin numbers 29 (NOMOS 2025, 2nd Edition).
↑ Dix, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 15 GDPR, margin numbers 30 (NOMOS 2025, 2nd Edition).
↑ Dix, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 15 GDPR, margin numbers 30 (NOMOS 2025, 2nd Edition).
↑ Dix, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 15 GDPR, margin numbers 30 (NOMOS 2025, 2nd Edition).
↑ Ehmann, in Ehmann, Selmayr, DS-GVO, Article 15 GDPR, margin numbers 68 (C.H. Beck 2024, 3rd Edition).
↑ EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.0), margin number 149 (available here).
↑ EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.1), margin number 169 (available here); Bäcker, in Kühling, Buchner, DS-GVO BDSG, Article 15 GDPR, margin numbers 33 (C.H. Beck 2024, 4th Edition); opposing opinion Haidinger, in Knyrim, DatKomm, Article 15 GDPR, margin numbers 49 (Manz 2024).
↑ Bäcker, in Kühling, Buchner, DS-GVO BDSG, Article 15 GDPR, margin numbers 33 et seqq (C.H. Beck 2024, 4th Edition).
↑ Compare CJEU, Case C-203/22, Dun & Bradstreet, 27 February 2025, margin number 67 et seqq. (available here).
↑ See Recital 63 GDPR.
↑ Commission Nationale pour la Protection des Données, 29 June 2021, Délibération n° 24FR/2021 (available here).
↑ Dix, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 15 GDPR, margin numbers 35 (NOMOS 2025, 2nd Edition).

[1] Compare Knyrim, in Ehmann, Selmayr, DS-GVO, Article 15 GDPR, margin numbers 4 (C.H. Beck 2024, 3rd Edition).

[2] Ehmann, in Ehmann, Selmayr, DS-GVO, Article 15 GDPR, margin numbers 1 (C.H. Beck 2024, 3rd Edition).

[3] Bäcker, in Kühling, Buchner, DS-GVO BDSG, Article 15 GDPR, margin numbers 1 (C.H. Beck 2024, 4th Edition).

[4] Bäcker, in Kühling, Buchner, DS-GVO BDSG, Article 15 GDPR, margin numbers 1 (C.H. Beck 2024, 4th Edition).

[5] Compare Mester, in Taeger, Gabel, DSGVO - BDSG - TTSG, Article 15 GDPR, margin number 1 (C.H. Beck 2022, 4th Edition).

[6] Ehmann, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 15 GDPR, margin number 13 (C.H. Beck 2024, 3nd Edition); Mester, in Taeger, Gabel, DSGVO - BDSG - TTSG, Article 15 GDPR, margin number 1 (C.H. Beck 2022, 4th Edition).

[7] CJEU, Case C-553/07, College van burgemeester en wethouders v. Meerijkeboer, 7 May 2009, margin numbers 51–52 (available here). See also, CJEU, Joined Cases C-141/12 and C-372/12, YS and Others, 17 July 2014, margin number 57 (available here).

[8] As the EDPB puts it, "Given the broad aim of the right of access, the aim of the right of access is not suitable to be analysed as a precondition for the exercise of the right of access by the controller as part of its assessment of access requests. Thus, controllers should not assess “why” the data subject is requesting access, but only “what” the data subject is requesting (see section 3 on the analysis of the request) and whether they hold personal data relating to that individual (see section 4). Therefore, for example, the controller should not deny access on the grounds or the suspicion that the requested data could be used by the data subject to defend themselves in court in the event of a dismissal or a commercial dispute with the controller". See, EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.0), p. 10 (available here).

[9] CJEU, Case C-307/22, FT and DW, 26 October 2023, margin number 29 et seqq. (available here)

[10] See https://en.wikipedia.org/wiki/Faceless_(2007_film)

[11] Compare Bäcker, in Kühling, Buchner, DS-GVO BDSG, Article 15 GDPR, margin numbers 42e (C.H. Beck 2024, 4th Edition).

[12] Compare Ehmann, in Ehmann, Selmayr, DS-GVO, Article 15 GDPR, margin numbers 18 (C.H. Beck 2024, 3rd Edition).

[13] EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.1), margin number 35 (available here).

[14] EDPB, '1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 70 (available here).

[15] EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.0), margin number 50 (available here).

[16] Compare EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.0), margin number 50 (available here).

[17] EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.0), margin number 51 (available here); see also Zanfir-Fortuna, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 15 GDPR, p. 465 (Oxford University Press, Oxford, 2020). This approach is supported by, among others, the text of Recital 58 GDPR, which emphasises the importance of this right in cases such as online advertising, where the data subject may not even know what types of processing activities are carried out due to the technological complexity of the practice and the proliferation of actors.

[18] EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.0), margin number 51 (available here).

[19] For example, the District Court of the province North Holland (Netherlands) has held that where a data subject makes a non-specific, generally formulated access request to a data controller processing a large quantity of personal data, it is reasonable to expect the data controller to perform a search for the "most common" personal data (such as name, address, and social security number), in its "most common" data files and/or computer systems or applications. See, Rechtbank Noord-Holland, 18 June 2021, AWB - 20 _ 4638 (available here).

[20] EDPB, 'Guidelines 01/2022 on data subject rights - right of access', 28 March 2023, margin number 125 (available here)

[21] EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.1), margin number 18 (available here).

[22] EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.1), margin number 19 (available here).

[23] EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.1), margin number 24 (available here).

[24] EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.1), margin number 133 (available here).

[25] EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.1), margin number 92 (available here).

[26] EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.0), margin number 97 (available here).

[27] Haidinger, in Knyrim, DatKomm, Article 15 GDPR, margin numbers 31 (Manz 2024).

[28] Compare Haidinger, in Knyrim, DatKomm, Article 15 GDPR, margin numbers 33 (Manz 2024).

[29] Haidinger, in Knyrim, DatKomm, Article 15 GDPR, margin numbers 27 (Manz 2024).

[30] Haidinger, in Knyrim, DatKomm, Article 17 GDPR, margin numbers 18 (Manz 2024); for a more nuanced view regarding very data intensive processing activities see Haidinger, in Knyrim, DatKomm, Article 15 GDPR, margin numbers 27 (Manz 2024).

[31] Zanfir-Fortuna, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 15 GDPR, p. 460 (Oxford University Press, Oxford, 2020); see Commentary on Article 12(2) and (6) GDPR for more details.

[32] Agencia Española de Protección de Datos, 9 April 2021, R/00232/2021 (available here).

[33] Haidinger, in Knyrim, DatKomm, Article 15 GDPR, margin numbers 76 (Manz 2024); Data Protection Commission, 16 December 2020, Groupon International Limited (available here).

[34] For instance, the information on the right to lodge a complaint under Article 15(1)(f) GDPR does not differ from the one mandated under Article 13(2)(d) GDPR.

[35] EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.1), margin number 113 (available here).

[36] Bäcker, in Kühling, Buchner, DS-GVO BDSG, Article 15 GDPR, margin numbers 12 (C.H. Beck 2024, 4th Edition).

[37] Bäcker, in Kühling, Buchner, DS-GVO BDSG, Article 15 GDPR, margin numbers 13 (C.H. Beck 2024, 4th Edition).

[38] Dix, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 15 GDPR, margin numbers 18 (NOMOS 2025, 2nd Edition).

[39] Compare Bäcker, in Kühling, Buchner, DS-GVO BDSG, Article 15 GDPR, margin numbers 13 (C.H. Beck 2024, 4th Edition) arguing that data subjects can request this information when they can show a legitimate interest.

[40] Bäcker, in Kühling, Buchner, DS-GVO BDSG, Article 15 GDPR, margin numbers 14 (C.H. Beck 2024, 4th Edition).

[41] Compare Dix, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 15 GDPR, margin numbers 14 (NOMOS 2025, 2nd Edition).

[42] EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.0), margin number 117 (available here).

[43] Under Article 19 GDPR, the controller's obligation to notify the various recipients is due unless it is impossible or requires a disproportionate effort. This clause, however, does not refer to the obligation to inform the user about the identity of the recipients (final sentence). It follows that the controller is always obliged to provide such information (and therefore, pursuant to Article 24 GDPR, to implement systems with appropriate technical and organisational measures to achieve this).

[44] Dix, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 15 GDPR, margin numbers 20 (NOMOS 2025, 2nd Edition).

[45] CJEU, Case C-579/21, Pankki S, margin number 73 (available here).

[46] Dix, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 15 GDPR, margin numbers 20 (NOMOS 2025, 2nd Edition).

[47] EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.1), margin number 118 (available here).

[48] EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.1), margin number 119 (available here).

[49] Dix, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 15 GDPR, margin numbers 23 (NOMOS 2025, 2nd Edition); opposing opinion Bäcker, in Kühling, Buchner, DS-GVO BDSG, Article 15 GDPR, margin numbers 24 (C.H. Beck 2024, 4th Edition).

[50] Dix, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 15 GDPR, margin numbers 24 (NOMOS 2025, 2nd Edition).

[51] Dix, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 15 GDPR, margin numbers 24 (NOMOS 2025, 2nd Edition).

[52] Dix, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 15 GDPR, margin numbers 24 (NOMOS 2025, 2nd Edition).

[53] Compare Bäcker, in Kühling, Buchner, DS-GVO BDSG, Article 15 GDPR, margin numbers 26 (C.H. Beck 2024, 4th Edition).

[54] CJEU, Case C-203/22, Dun & Bradstreet Austria, 27 February 2025, margin number 57 et seq.

[55] CJEU, Case C-203/22, Dun & Bradstreet Austria, 27 February 2025, margin number 58.

[56] CJEU, Case C-203/22, Dun & Bradstreet Austria, 27 February 2025, margin number 58 et seq.

[57] Haidinger, in Knyrim, DatKomm, Article 15 GDPR, margin numbers 41 (Manz 2024); compare also Dix, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 15 GDPR, margin numbers 27 (NOMOS 2025, 2nd Edition).

[58] EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.1), margin number 23 (available here).

[59] CJEU, Case C-487/21, 4 May 2023, margin number 21 (available here); EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.0), margin number 23 (available here).

[60] EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.1), margin number 23 (available here).

[61] For a detailed overview of the different perspectives, we suggest Haidinger, in Knyrim, DatKomm, Article 15 GDPR, margin numbers 35-36 (Manz 2024).

[62] In the case where the data is originally contained in an electronic system, the copy will always come from an extraction process.

[63] CJEU, Case C-487/21, CRIF GmbH, 4 May 2023, margin number 21 (available here).

[64] See commentary on Article 12 GDPR on formal requirements.

[65] EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.0), margin number 153 (available here).

[66] Dix, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 15 GDPR, margin numbers 29 (NOMOS 2025, 2nd Edition).

[67] Dix, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 15 GDPR, margin numbers 30 (NOMOS 2025, 2nd Edition).

[68] Dix, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 15 GDPR, margin numbers 30 (NOMOS 2025, 2nd Edition).

[69] Dix, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 15 GDPR, margin numbers 30 (NOMOS 2025, 2nd Edition).

[70] Ehmann, in Ehmann, Selmayr, DS-GVO, Article 15 GDPR, margin numbers 68 (C.H. Beck 2024, 3rd Edition).

[71] EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.0), margin number 149 (available here).

[72] EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.1), margin number 169 (available here); Bäcker, in Kühling, Buchner, DS-GVO BDSG, Article 15 GDPR, margin numbers 33 (C.H. Beck 2024, 4th Edition); opposing opinion Haidinger, in Knyrim, DatKomm, Article 15 GDPR, margin numbers 49 (Manz 2024).

[73] Bäcker, in Kühling, Buchner, DS-GVO BDSG, Article 15 GDPR, margin numbers 33 et seqq (C.H. Beck 2024, 4th Edition).

[74] Compare CJEU, Case C-203/22, Dun & Bradstreet, 27 February 2025, margin number 67 et seqq. (available here).

[75] See Recital 63 GDPR.

[76] Commission Nationale pour la Protection des Données, 29 June 2021, Délibération n° 24FR/2021 (available here).

[77] Dix, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 15 GDPR, margin numbers 35 (NOMOS 2025, 2nd Edition).

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]

[16]

[17]

[18]

[19]

[20]

[21]

[22]

[23]

[24]

[25]

[26]

[27]

[28]

[29]

[30]

[31]

[32]

[33]

[34]

[35]

[36]

[37]

[38]

[39]

[40]

[41]

[42]

[43]

[44]

[45]

[46]

[47]

[48]

[49]

[50]

[51]

[52]

[53]

[54]

[55]

[56]

[57]

[58]

[59]

[60]

[61]

[62]

[63]

[64]

[65]

[66]

[67]

[68]

[69]

[70]

[71]

[72]

[73]

[74]

[75]

[76]

[77]