Article 15

Right of access by the data subject

1.   The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:


the purposes of the processing;


the categories of personal data concerned;


the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;


where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;


the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;


the right to lodge a complaint with a supervisory authority;


where the personal data are not collected from the data subject, any available information as to their source;


the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

2.   Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.

3.   The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.

4.   The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others.

What does it mean?

Yes, if an individual inquires about whether their data is being processed, this question must be answered. Therefore, even if an organization is not processing an individual’s data, that person has the right to receive confirmation.

Organizations must disclose the following: the purposes of processing (why the data is being used), the categories of data collected (e.g., contact information, browsing behavior), who the data might be shared with (especially if sent to third countries or international organizations), and how long the data is intended to be stored (or the factors used to determine the storage duration).

Organizations are required to inform individuals about their rights.

These include:

  • the right to request correction of inaccurate personal data (rectification),
  • the right to request deletion of personal data under certain conditions (erasure or ‘right to be forgotten’),
  • the right to request limitations on data usage (restriction of processing),
  • the right to object to specific types of data processing, and
  • the right to file a complaint with a data protection supervisory authority.

If an international transfer of personal data is taking place and it is not based on an adequacy decision (Article 45(3)), then organizations must inform individuals about the appropriate safeguards in place, according to Article 46 of the GDPR, to protect their data during the transfer.

On request, an organization is required to provide a copy of the personal data it is processing to the individual whose data is being processed.

The organisation may charge a reasonable fee for additional copies. Electronic copies should be delivered in a common format unless the individual asks otherwise.

Yes. An individual’s request for their data cannot infringe on the rights and freedoms of others.

Awareness Training

Ensure that your entire company is equipped with the necessary awareness training on the basics of GDPR and IT security.