Subject access requests

In brief

The right to access and obtain data contained in the Regulation is similar to that contained in the current EU Data Protection Directive (95/46/EC). The Regulation adds to the list of information which must be provided to a data subject in relation to their data. There are also enhancements in relation to process, such as specific time limits, and a requirement to provide data in electronic form (if requested electronically).


The current EU Data Protection Directive states that Member States must guarantee every data subject the right to obtain from the data controller:

  • confirmation as to whether or not personal data is being processed and information as to the purposes of the processing, the categories of personal data concerned, and the recipients or categories of recipients to whom the personal data is disclosed
  • communication in an intelligible form of the personal data and of any available information as to their source, and 
  • logic involved in any automatic processing of personal data (at least in the case of the automated decisions).

The above must be provided without constraint, at reasonable intervals and without excessive delay or expense.

There are exceptions to this rule, for matters such as:

  • national security 
  • defence 
  • public security 
  • prevention, investigation, detection and prosecution of criminal offences 
  • breaches of ethics for regulated professions 
  • important economic or financial interests of a Member State, and 
  • protection of the data subject or the rights and freedoms of others. 

The Regulation, amongst other things, extends the scope of the information that data subjects could expect to receive and provides for electronic delivery of information. It may also require the information to be delivered more quickly than is currently the case.

Changes in detail

The general principles of data subject rights under the Regulation will include the following:

  • right of access
  • right to obtain data 
  • right to lodge a complaint to the data protection authority, and
  • right to bring legal proceedings as well as the right to compensation and damages.

Article 15 of the Regulation contains details of the right to access and to obtain data. The data subject will have the right to obtain from the data controller, on request, confirmation as to whether his/her personal data is being processed and the following information:

  • the purposes of processing 
  • information about recipients of the data, particularly recipients in third countries (ie outside Europe)
  • retention periods 
  • the existence of the right to request rectification or erasure or to object to processing 
  • the right to lodge a complaint to the supervisory authority
  • in cases of automated processing including profiling, and 
  • information about sources of the data.

If the data subject makes the request in electronic form the information should be provided in an electronic format (unless otherwise requested).

Article 12 of the Regulation, which relates to procedures and mechanisms for exercising the various rights of the data subject granted by the Regulation, will require the following:

  • The data controller must provide the information without undue delay and, at the latest, within one month of receipt of the request. The period for response may be extended to three months if necessary taking into account the complexity of a request and/or number of requests.
  • If the data controller intends not to respond to the request, they must inform the data subject without delay (and within one month) of the reason and the possibility of lodging a complaint to the supervisory authority.
  • Information and actions taken should be free of charge.
  • If the requests are "manifestly unfounded and excessive", in particular because of repetition, the data controller may charge a reasonable fee (to cover administrative costs) or refuse to comply with the request.
  • Responses to data subjects must be concise, transparent, intelligible and in an easily accessible form using clear and plain language.

Member States may also restrict subject access rights (Article 21), subject to conditions (eg public interest and proportionality) to safeguard various matters including:

  • public / national security
  • prevention, investigation, detection and prosecution of criminal offences
  • exercise of regulatory functions, and
  • protection of the data subject or the rights and freedoms of others. 


The right to access and to obtain data which will be set out in the Regulation is not a new right. Many of the elements of the right (and the exceptions to it) are in the existing Data Protection Directive.

However, the Regulation will add to and enhance the right by requiring:

  • A larger amount of information that data controllers must provide on request (eg retention periods of data and information on the safeguards applied to transfers of data outside of Europe).
  • A requirement to respond to requests without undue delay. In addition there is a hard deadline of one month - the current Directive applies no hard deadline and the period of one month is shorter than is applied in many EU Member States currently (in the UK it is 40 days). However, unlike the current situation, an extended time period (three months) is given for complex and / or large scale requests.
  • Data requested electronically should be provided in an electronic format. 
  • Information provided to be free of charge.

The likely impact of the changes will depend on current law and practice in any jurisdiction. There are some jurisdictions in which the right of subject access is not commonly used and it seems doubtful that what might be described as “incremental” changes will change such practice. In jurisdictions, such as the UK, where subject access requests are common practice, the changes will require some work to be done to organizational policy / practice, for example to speed up response times and where charges are normally levied on requestors. However, it seems unlikely that there will be wholesale changes to the way in which subject access requests are made or answered, except perhaps in a move towards electronic provision of data.

The Regulation does, however, represent a significant enhancement to the enforcement regime in relation to data protection. Whilst this might not change practice, it is likely to give organisations greater cause for concern particular where data subjects abuse the subject access request right, seeking only to put data controllers to as much inconvenience and expense as possible, with little genuine interest in the data for which they are asking.

This document (and any information accessed through links in this document) is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from any action as a result of the contents of this document.