- 1.
The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
¶- a) the purposes of the processing; ¶
- b) the categories of personal data concerned; ¶
- c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; ¶
- d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; ¶
- e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; ¶
- f) the right to lodge a complaint with a supervisory authority; ¶
- g) where the personal data are not collected from the data subject, any available information as to their source; ¶
- h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. ¶
- a)
- 2.
Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.
¶ - 3.
The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.
¶ - 4.
The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others.
¶
GDPR Article EN In force as of 2016-05-04 LLM context A cited markdown file you can paste into your AI assistant (ChatGPT, Claude, a RAG or project knowledge base) to ground it in this article. Contains: the article text, related recitals, cases citing it, enforcement stats and top fines, guidance, and related topics. Everything links back to its source on overview.legal — legal information, not advice.
Right of access by the data subject
Enforcement
Cited in 273 fines totalling €82.1M
Connections by provision
15(1) 13 Case Law 1 Guidance 1 News
Case Law 13
Österreichische Datenschutzbehörde v CRIF BONNIER AUDIO ABET AL. V. PERFECT COMMUNICATIONS WEDEN, 19.April.2012 (“BONNIER”) BONNIER AUDIO ABET AL. V. PERFECT COMMUNICATIONS WEDEN, 19.April.2012 (“BONNIER”) SCARLET EXTENDED SA V. SOCIETE BELGE DES AUTEURS, COMPOSITEURS ET EDITEURS SCRL (SABAM), 24.Nov.2011 (“SCARLET”) Digital Rights Ireland Ltd v Minister for Communications Privacy International v Secretary of State LSG-GESELLSCHAFT ZUR WAHRNEHMUNG VON LEISTUNGSSCHUTZRECHTEN GMBH V. TELE2 TELECOMMUNICATION GMBH, 19.Feb.2009 (“Tele2”) ¶17 Österreichische Datenschutzbehörde v CRIF +5 more News 1
SO Warszawa - Case C 310/23 15(1)(a) 3 Case Law 1 Guidance
15(1)(b) 1 Guidance
15(1)(c) 3 Guidance
15(1)(d) 1 Guidance
15(1)(e) 1 Guidance
15(1)(f) 1 Guidance
15(1)(g) 1 Guidance
15(1)(h) 1 Guidance 1 News
15(2) 2 Case Law 1 Guidance
15(3) 20 Case Law 5 Guidance
Case Law 20
Österreichische Datenschutzbehörde v CRIF ¶2 Österreichische Datenschutzbehörde v CRIF ¶53 Österreichische Datenschutzbehörde v CRIF ¶50 Österreichische Datenschutzbehörde v CRIF ¶49 Österreichische Datenschutzbehörde v CRIF ¶48 Österreichische Datenschutzbehörde v CRIF ¶46 Österreichische Datenschutzbehörde v CRIF ¶45 Österreichische Datenschutzbehörde v CRIF +12 more Guidance 5
Guidelines 03/2021 on the application of Article 65(1)(a) GDPR Guidelines 01/2022 on data subject rights - Right of access Guidelines 2/2023 on Technical Scope of Art. 5(3) of ePrivacy Directive Guidelines 8/2020 on the targeting of social media users Guidelines 02/2021 on virtual voice assistants Related across sources
Literature The Court of Justice on the Excessiveness of Access Requests under the GDPR News The Italian SA imposed a 40 000 EUR fine on a company for violating the confidentiality of a employee's email account after the end of his employment News Digital Omnibus reality check: 83.5% of access requests not properly answered News Digital Omnibus: EU DPAs reject many proposed changes to the GDPR News DSB (Austria) - 2025-0.789.117 News VG Düsseldorf - 29 K 9469/23