Right of Access

The right of access gives the data subject the right to see what personal data an organisation processes about them. It is one of the most frequently used rights under the GDPR and must be responded to within one month.

Back to Dictionary

Table of Contents

    What is the right of access?

    The right of access is set out in GDPR Article 15. It gives the data subject two things:

    • The right to obtain confirmation as to whether you process personal data about them
    • If so, the right to access the data and a range of supplementary information

    The right of access is one of the most frequently exercised rights in practice. Individuals use it to check whether organisations process their data correctly, and it is often the first step before a complaint to the Danish Data Protection Agency.

    As a data controller, you must have procedures in place to handle access requests quickly and correctly.

    What must you provide?

    In addition to the personal data itself, you must provide the data subject with the following information:

    • The purposes of the processing (purpose limitation)
    • The categories of personal data
    • The recipients or categories of recipients
    • The planned retention period
    • Information about the right to rectification, erasure, restriction and objection
    • The right to lodge a complaint with the Data Protection Agency
    • The source of the data, if not collected directly from the data subject
    • Whether automated decision-making or profiling takes place
    • Information about third-country transfers and the associated safeguards

    You must provide a copy of the data free of charge. The format must be easily understandable. If the request is made electronically, the response should in principle also be electronic.

    Handling requests

    Follow these steps when you receive an access request:

    • Identify the requester: You must verify that the request comes from the data subject. You must not disclose data to the wrong person.
    • Search all systems: The right of access applies to all personal data, regardless of where it is stored. Remember emails, log files, CRM, HR systems and data held by data processors.
    • Respond within one month: The deadline runs from receipt. For complex requests, you may extend by two months, but you must inform the data subject within the first month.
    • Document: Record the request, your search and the response in your record.

    Ensure your data processing agreement obliges data processors to assist with access requests. Otherwise you cannot provide a complete response.

    Exceptions and limitations

    The right of access is not absolute. You may limit it in the following situations:

    • Others' rights: If disclosure would infringe others' rights (e.g. trade secrets or other data subjects' data), you may withhold the specific information.
    • Manifestly unfounded or excessive requests: You may charge a fee or refuse, but the threshold is high.
    • National exceptions: The Danish Data Protection Act contains certain national exceptions.

    If you refuse a request, you must provide a written justification and inform the data subject of the right to complain to the Danish Data Protection Agency.

    Frequently Asked Questions about Right of Access

    What is the right of access?

    The right of access is the data subject's right to obtain confirmation as to whether an organisation processes personal data about them, and if so, to access the data and supplementary information about the processing. The right follows from GDPR Article 15.

    How quickly must an access request be answered?

    You must respond to an access request within one month. The deadline may be extended by a further two months for complex requests, but you must inform the data subject of the delay before the first month expires.

    Can you refuse an access request?

    You can only refuse a request if it is manifestly unfounded or excessive, e.g. repeated identical requests. You may also limit access if disclosure would infringe others' rights. You must always provide a written justification for a refusal.

    Must access be free of charge?

    Yes, the first copy of the data must be provided free of charge. For additional copies, you may charge a reasonable fee based on administrative costs. For manifestly unfounded or excessive requests, you may also charge a fee or refuse.

    +400 companies use .legal
    Region Sjælland
    Aarhus Universitet
    aj_vaccines_logo
    Realdania
    Right People
    IO Gates
    PLO
    Finans Danmark
    geia-food
    Vestforbrænding
    Evida
    Klasselotteriet
    NRGI1
    BLUE WATER SHIPPING
    Karnov
    Ingvard Christensen
    VP Securities
    AH Industries
    Lægeforeningen
    InMobile
    AK Nygart
    ARP Hansen
    DEIF
    DMJX
    Axel logo
    qUINT Logo
    KAUFMANN (1)
    SMILfonden-logo
    kurhotel_skodsborg
    nemlig.com
    Molecule Consultancy
    Novicell
    Footer topswirl

    Info

    .legal A/S

    hello@dotlegal.com
    +45 7027 0127

    VAT-no: DK40888888

    Support

    support@dotlegal.com
    +45 7027 0127
    Need help?

     

    Office

    Aarhus

    Store Torv 14, 2.
    8000 Aarhus C

    We care about safety

    Download our declarations

    ISAE 3000

    ISAE 3402

    Modules

    Let me help you get started

    joa i blob
    Reach out to me on phone
    +45 7027 0127 and I'll get you started
    arrow-right-white Get a demo

    .legal is not a law firm and is therefore not under the supervision of the Bar Council.

    Footer bottomswirl