Demonstration
To process your request, we need to process your personal data. Find out more about the processing of your personal data here.

The right of access: an essential lever for understanding and controlling your personal data

Every day, we share a large amountof personal information: when browsing a website, filling out an online form, creating an account on an online service, or simply exchanging emails in a professional setting. This data is collected, stored, sometimes cross-referenced with other sources, and then used for various purposes: marketing, HR data processing, security, statistics, or behavioral analysis.

In this context, where the circulation of personal data has become widespread, the General Data Protection Regulation (GDPR) strengthens the rights of data subjects by placing a fundamental right at the heart of its logic: the right of access. This right allows any individual to know whether their data is being processed by an organization, to understand for what purpose, how and for how long, to know the legal basis for the processing, and to obtain a copy of it.

The right of access is not a mere formality. It is often the gateway to exercising other rights provided for by the GDPR, such as the right to rectification,erasure, portability, or the rightto object. By exercising this right, a person can not only verify the lawfulness of the processing, but also detect any errors, abuses, or disproportionate processing. This applies to clients files, cookie-related data, employee records, business emails, and the processing of background information in certain sensitive sectors.

This right applies to everyone: citizens, consumers, employees, users of public services, and clients private clients . It aims to restore balance between the individuals concerned and those responsible for processing their data, by giving individuals back control over their personal data.

For organizations, complying with the right of access is a legal, technical, and organizational challenge. It involves implementing clear procedures, monitoring tools, effective internal coordination, and sometimes a detailed analysis of the content of requests. Responding to a request for access rights is not simply a matter of sending a series of documents: it involves communicating the personal data concerned in a legible, structured manner, in a way that guaranteesthe identity of the requester, within a timeframe strictly defined by regulations.

Finally, poor management of this right— no response, incomplete response, or unjustified refusal —can lead to significant risks: complaints to the CNIL (National Commission for Information Technology and Civil Liberties), financial penalties, loss of user confidence, or damage to reputation. The right of access, if misunderstood or poorly managed, can become a point of vulnerability for the organization.

In this article, we offer a clear and comprehensive overview of the right of access, following a structured outline: its fundamental principles, the practicalities of exercising it, the obligations of organizations, cases of negative responses, the limits provided for by law, and the risks of non-compliance. A specific focus will also be provided for employees, who represent a frequent but often poorly treated case.

What does Article 15 of GDPR say GDPR the right of access to personal data?

Article 15 of GDPR that every Data subject the right to obtain from controller

  • Confirmation that personal data concerning her is or is not being processed;
  • When this is the case, access to said data;
  • As well as the following information:
    • The purposes of the processing;
    • The categories of personal data concerned ;
    • The recipients or categories of recipients to whom the data have been or will be disclosed, in particular if they are located in third countries or are international organizations (cases of transfer);
    • The duration of Data retention or, where this is not possible, the criteria used to determine it;
    • The existence of the right to request the rectification orerasure of data, or a restriction on processing, or to object to it;
    • The right to lodge a complaint with a supervisory authority (in France, the CNIL (National Commission for Information Technology and Civil Liberties));
    • Where the data has not been collected directly from the individual, any available information as to its source;
    • The existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the Data subject.

This right applies regardless of the medium or context: client file, HR file, marketing file, data collected via a cookie manager, etc.

Right of access and right to copy: a single procedure

The right of access is often perceived as simply a Right to be informed, while the right to copy is sometimes considered a right in its own right. In reality, this is not the case: the GDPR, in Article 15, explicitly states that the right to receive a copy of personal data is an integral part of the right of access.

These are therefore not two separate rights, but rather a single right with several components. The Data subject be able to obtain both:

  • a clear description of the treatment,
  • and a copy of their data, in an understandable and accessible format.

This copy allows the individual to verify exactly what information is being collected, stored, and processed about them. It is an essential step in exercising other rights, such as the right to rectification orerasure, if necessary.

Response to access requests: conditions and deadlines

Unlike other rights provided for by the GDPR such as rectification or erasure), the right of access requires a specific formal response, as defined byArticle 15. This means that the written response must contain a certain amountof mandatory information: the purposes of the processing, the recipients, the Data retention period, the origin of the data, the existence of automated decision-making, etc.

It is therefore not sufficient to send a raw copy of the data: the form, clarity, and content of the response are legally regulated. Any failure to comply with this formal requirement may be considered an incomplete response.

At Dipeeo, our clients sometimes surprised to have to inform the Data subject in their response that they can file a complaint with the CNIL (National Commission for Information Technology and Civil Liberties). This may seem counterintuitive, especially when you think you have responded correctly. However, this statement is legally required. It is part of the information required by Article 15 —which we detailed above—and must be included in any response to a request for access.

In the event of refusal, the organization must justify its decision in writing, inform the Data subject their right to lodge a complaint with the CNIL (National Commission for Information Technology and Civil Liberties), and direct them to the available remedies.

Everything must be documented in a request log.

👉 For more information on how to effectively manage all requests related to individual rights (access, rectification, deletion, etc.), please refer to our article dedicated to GDPR rights management.

Download a privacy policy template

Access a customizable GDPR template GDPR easily create your own privacy policy. Ideal for websites, blogs, e-commerce, or applications.
Download

Cases of refusal of access rights: in which cases can a data controller say no?

The GDPR certain exceptions to the right of access. These limitations must be interpreted strictly and documented when applied.

  • Deleted or no longer retained data: If the data has been deleted or is no longer retained (in accordance with the Data retention policy), it can no longer be disclosed. The organization must explain this clearly.
  • Non-personal data: The right of access applies only to personal data. It does not apply to anonymous internal analyses, statistics, or documents that do not allow a person to be identified directly or indirectly.
  • Violation of the rights and freedoms of others: An organization may restrict access to certain data if its disclosure would violate the rights of a third party: professional secrecy, privacy, intellectual property, system security, etc. In such cases, a partial or redacted response may be considered.
  • Application to work-related data and emails: An employee may exercise their right to access work-related data concerning them, including emails in which they are mentioned. However, emails for exclusively professional or collective use may be subject to restrictions, particularly if their disclosure could harm other individuals or the functioning of the company.
  • Unfounded or manifestly excessive requests: A request may be rejected or subject to a fee if it is:
    • Repetitive and unfounded;
    • Abusive, particularly in terms of volume or frequency;
    • Made in bad faith or for the purpose of causing harm.

In the event of a negative response: the refusal must always be justified in writing, explaining the reasons and the possible avenues for appeal, in particular to the CNIL (National Commission for Information Technology and Civil Liberties).

Risks of non-compliance with the right of access: what the CNIL (National Commission for Information Technology and Civil Liberties) says

Ignoring a request for access, responding after the deadline, or providing an incomplete or poorly structured response can expose an organization to heavy penalties and multiple risks.

Administrative penalties

The supervisory authority – in France, the CNIL (National Commission for Information Technology and Civil Liberties) – can be contacted by the Data subject via a complaint. In the event of a proven breach, it may:

  • Send a formal warning or notice to the organization;
  • Order to satisfy the request within a specified time frame;
  • Impose a financial penalty of up to €20 million or 4% of global annual turnover, depending on the severity and nature of the violation;
  • Publish the sanction, which may damage the reputation of the entity concerned.

Reputational risks

Beyond official penalties, poor management of access rights often leads to:

  • A loss of trust on the part of users, clients employees;
  • Damage to brand image;
  • Negative amplification on social media or in the media in the event of a public complaint.

Organizational failures

Requests for access rights are often the first to be exercised. Failure to respond to them in the correct manner, within the required time frame, or with sufficient rigor often reveals a lack of internal preparation:

  • Lack of clear policy;
  • Untrained teams;
  • No traceability procedures or tools;
  • Difficulty centralizing data from different information systems or networks.

That is why it is essential to put a structured system in place. This includes:

  • A register of requests;
  • A single point of contact (DPO or internal representative);
  • A clear policy on handling and responding to incidents;
  • Accessible and up-to-date documentation.

Anticipating these issues not only protects you from a legal standpoint, but also demonstrates a genuine commitment to data protection.
In summary: the right of access, a requirement for transparency and lawfulness

The right of access is a powerful verification tool for individuals and a duty of transparency for organizations. It reinforces the lawfulness of processing and trust in digital systems.

For companies, respecting this right is not just a matter of compliance: it is an ethical commitment to the people whose data they process, whether they are clients, employees, or users of online services.

Samia Rahammia
Samia Rahammia

IT and Data Lawyer and Marketing Project Manager