Skip to content
AuditFront
Art.15 GDPR

GDPR Art.15: Right of Access by the Data Subject

What This Control Requires

The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information: (a) the purposes of the processing; (b) the categories of personal data concerned; (c) the recipients or categories of recipient to whom the personal data have been or will be disclosed; (d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; (e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; (f) the right to lodge a complaint with a supervisory authority; (g) where the personal data are not collected from the data subject, any available information as to their source; (h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

In Plain Language

Subject Access Requests (SARs) are the single most exercised data subject right, and the one most likely to expose gaps in your data management practices. When someone asks for their data, you must confirm whether you are processing it and, if so, hand over a copy along with detailed contextual information.

The response is not just a data dump. You must include the purposes of processing, data categories, who you have shared the data with (or will share it with), retention periods, where the data came from if you did not collect it directly, and details of any automated decision-making or profiling. You also need to remind them of their other rights - rectification, erasure, restriction, objection, and the right to complain to a DPA.

You have one month to respond, the first copy is free, and electronic requests should get electronic responses in a commonly used format. Extensions of up to two additional months are available for genuinely complex requests, but you must notify the individual within the original month.

How to Implement

Document a SAR handling procedure covering the full lifecycle. Define intake channels (online form, email, post, phone), set up central logging, and assign clear ownership. Critically, train staff to recognise SARs even when they do not use the magic words - any request for personal data triggers the obligation, regardless of how it is phrased.

Build a proportionate identity verification step. For existing customers, account-based verification works. For unknown individuals, you may need photo ID. Keep verification simple enough that it does not become a barrier - DPAs have penalised organisations that use verification as a delaying tactic.

Map out where personal data lives across your organisation and build efficient retrieval processes. Use your Records of Processing Activities and data mapping as the foundation. Identify every system, database, email archive, paper file, and backup that might hold relevant data. Assign departmental contacts who can search their systems when a SAR comes in. For high-volume environments, invest in automated search tooling.

Review everything before disclosure. Check that the data belongs to the right person, redact third-party information, apply any valid exemptions (like legal privilege), and prepare all the supplementary information Article 15(1)(a)-(h) requires. Document every decision to withhold or redact, with clear justification.

Deliver the response in a sensible format - PDF or CSV for electronic requests. Separate the data from the supplementary information so it is easy to navigate. Include information about the individual's other rights. Log the full response details including what was sent, what was withheld, and the response date.

Evidence Your Auditor Will Request

  • Documented SAR handling procedure with defined workflows, responsibilities, and timelines
  • SAR tracking log showing all requests received, actions taken, and response dates
  • Identity verification procedures for data subject access requests
  • Sample SAR responses demonstrating provision of data and all required supplementary information
  • Training records for staff involved in SAR handling

Common Mistakes

  • Failing to recognise informal requests as valid subject access requests
  • Exceeding the one-month response deadline without notifying the data subject of an extension
  • Providing the personal data but omitting the required supplementary information (purposes, recipients, retention periods, etc.)
  • Incomplete searches - failing to check all systems and locations where personal data may be stored
  • Disclosing third-party personal data within the SAR response without proper redaction

Related Controls Across Frameworks

Framework Control ID Relationship
ISO 27001 A.5.34 Related

Frequently Asked Questions

Does a subject access request need to be in writing?
No. A SAR can come verbally, by email, through social media, or by letter. The person does not need to mention Article 15 or even use the phrase "subject access request." If someone asks for their personal data in any form, that is a SAR. Train your frontline staff to spot them - the most common failure is not recognising a valid request when it arrives informally.
Can we refuse a subject access request?
Only if the request is manifestly unfounded or excessive - for instance, the same person sending identical requests repeatedly with no new processing in between. You carry the burden of proving this, and in practice, successful refusals are rare. If you do refuse, you must explain the reasons and inform the individual of their right to complain to a supervisory authority. Document everything.
Do we have to search backup systems for SAR data?
Technically, data in backups is still personal data. But proportionality applies. If the same data exists in your live systems, it is generally reasonable to search those and skip the backups. If data exists only in backups and nowhere else, you will likely need to retrieve it. Document your reasoning either way - the key is showing you made a considered decision, not that you ignored an entire data source.

Track GDPR compliance in one place

AuditFront helps you manage every GDPR control, collect evidence, and stay audit-ready.

Start Free Assessment