Art. 15 GDPR in Practice: Handling Subject Access Requests in a Legally Sound and Timely Manner

Art. 15 GDPR gives every data subject the right to obtain confirmation from a controller as to whether personal data concerning them is being processed and, if so, to request comprehensive information including a copy of the data. Under Art. 12(3) GDPR the deadline is one month from receipt of the request, extendable by a further two months in complex cases. Anyone who misses the deadline or responds incompletely risks fines under Art. 83 GDPR and reputational damage as soon as supervisory authorities or courts become involved.

This article consolidates what controllers need operationally: you will learn the scope of the right, the mandatory components of the response, permissible exceptions, identity verification and how to deal with repeated or manifestly unfounded requests. We also show how to map the entire process in a compliance platform and Officer-as-a-Service, so that every request is logged, answered on time and demonstrable in an audit.

Art. 15(1) GDPR lists ten mandatory items of information that you must provide to data subjects: processing purposes, categories of personal data, recipients or categories of recipients (particularly in third countries), the envisaged storage period, the existence of rights to rectification, erasure and restriction, the right to lodge a complaint with a supervisory authority, the source of data not collected from the data subject, automated decision-making including profiling, and appropriate safeguards for third-country transfers under Art. 46 GDPR.

Para. 3 additionally requires a copy of the personal data undergoing processing. The European Court of Justice clarified in C-487/21 of 4 May 2023: the copy fundamentally comprises the data in a form that enables the data subject to effectively exercise their rights, where appropriate including extracts from documents or databases. The concepts of information and data copy are therefore not identical but complement one another.

Operationally this means: you need a routine that brings together the record of processing activities under Art. 30 GDPR, the recipient list and the actual data holdings. An external data protection officer ensures that this routine is stored in the workspace and can be reproduced at any time.

The basic deadline is one month from receipt of the request. What matters is the day the request arrives at your organisation, not the day the responsible case handler becomes aware of it. The deadline runs from awareness. An extension by a further two months is possible under the second sentence of Art. 12(3) GDPR where the complexity or number of requests so requires. In that case you must inform the data subject of the extension and its reasons within the first month.

Delays are consistently penalised by supervisory authorities. The State Data Protection Commissioner of Baden-Württemberg (LfDI), for example, repeatedly imposed fines in the five-figure range where information was delayed for months without justification. Civil courts also award compensation under Art. 82 GDPR; the Federal Labour Court (BAG) confirmed the claim in principle on 5 May 2022 (case no. 2 AZR 363/21).

Pragmatically this means: day one begins with the first incoming letter or the first email. Every processing step belongs in a deadline register with automatic reminders seven and three days before expiry. The CIVAC platform and Officer-as-a-Service map this deadline tracking including escalation to management.

Before you provide information, you must be certain that the requesting person is in fact the data subject. Art. 12(6) GDPR permits additional information to establish identity where there are reasonable doubts. This threshold is high: the mere fact that a request arrives by email does not justify a copy of an identity card. The EDPB emphasised in Guidelines 01/2022 that the measure must be proportionate.

In practice, a tiered procedure has proven effective. For customer accounts, verification via the stored login is often sufficient. For requests with no existing business relationship, you can cross-check a second contact detail already on file or send a verification code to the stored address. A copy of an identity document is only permissible where other means do not work, and then with redaction of data that is not required.

Document every verification step. In the audit-proof, documented workspace you record per request which method was used, who decided and why. License the workspace for your internal officers, or have our officers appointed.

The ECJ specified the scope in C-487/21 and C-307/22. The copy must comprise all data concerning the data subject, including data from notes, internal memos or structured databases, insofar as it can be related to a person. Reproduction in extract form suffices where the context is not distorted. A verbatim copy of entire documents is only required where, without it, the meaning would not remain comprehensible.

Not part of the copy are third-party data, where their rights prevail, and purely factual data without any link to a person. Trade secrets and intellectual property rights may also restrict the scope under Recital 63; in that case the information is not to be refused entirely but appropriately redacted.

Typical locations: CRM, ERP, email mailboxes, ticketing systems, personnel files, supplier management, marketing automation, web analytics and backup holdings. A search in the primary application alone falls short. The CIVAC platform and Officer-as-a-Service stores a data map per processing activity, so that for each access request you can query the relevant systems in a structured way. This turns the search into a reproducible routine rather than a manual treasure hunt.

Art. 15 GDPR is not boundless. Art. 12(5) GDPR allows you, in the case of manifestly unfounded or excessive requests, in particular where they are frequently repeated, to charge a reasonable fee or to refuse to act. The burden of demonstration and proof for excessiveness lies with the controller. Mere inconvenience is not enough.

Section 34 BDSG sets out further exceptions, for example where data is stored solely because it may not be erased on account of statutory or charter-based retention obligations, and providing the information would require disproportionate effort. Section 29 BDSG also protects those bound by professional secrecy. However, you must specifically justify and document these exceptions.

Where third-party rights are concerned, for example where email correspondence between several people is the subject of the request, the principle of careful redaction applies. You release the content relating to the requesting person but redact the real names, contact data or content that exclusively concerns third parties. Note the reason for each redaction. The auditor calls, the evidence is ready.

The first copy is free of charge under the second sentence of Art. 15(3) GDPR. For further copies you may charge a reasonable fee based on administrative costs. If the data subject makes the request electronically, the information is to be provided in a commonly used electronic format, unless they indicate otherwise. A PDF with searchable text is sufficient in most cases; for structured data, CSV or JSON may be considered.

The transmission channel must be secure. Dispatch by unencrypted email is not sufficient for sensitive data holdings, such as health or creditworthiness data. Since 2021 the German Data Protection Conference (DSK) has recommended transport encryption as the minimum standard and, for particularly sensitive categories, additional content encryption or encrypted download portals.

Structure the copy comprehensibly. A mere database dump file is not reasonable. Instead, you should add a brief explanation per category of what the fields mean. This reduces follow-up queries and complaints to the supervisory authority. In the CIVAC platform and Officer-as-a-Service you store response templates, so that every disclosure has a consistent structure, language and security level.

A robust process begins with a clearly defined point of receipt. Requests can arrive by post, email, web form, telephone or even in person; all channels must be captured. A central mailbox plus web form is recommended, both mirrored in the workspace, so that the deadline automatically begins to run.

The role of the data protection officer coordinates the process, checks identity, scope and exceptions, obtains contributions from the specialist departments and approves the response. Departments supply data from their systems, IT assists with technical exports, the legal department assesses complex redactions. Clear roles and service-level agreements, for example two working days per data export, are essential to meet the one-month deadline.

Documentation is kept in an access register: date of receipt, requesting person, verified identity, systems searched, response date, dispatch channel, any extension, justification. Others run compliance like a filing cabinet. We run it like software. In an audit this register is the central evidence; in the CIVAC platform and Officer-as-a-Service it arises as a by-product of daily work.

Mistake one: the deadline is only started internally once the responsible employee reads the request. The correct trigger is receipt at the company. A central point of receipt with an automatic date stamp solves the problem.

Mistake two: the response only contains the data from the CRM, but not from email, the ticketing system or HR. A data map per processing activity prevents blind spots.

Mistake three: identity verification is skipped, data ends up with a third party. Here both fines and compensation claims loom. A documented, tiered verification procedure is mandatory.

Mistake four: redactions are made ad hoc, the reasons for redaction are not documented. In the event of a complaint the controller is left without justification. A redaction table per response remedies this.

Mistake five: the response is sent unencrypted. With sensitive data this can be a data breach in its own right under Art. 33 GDPR, with a 72-hour notification deadline. Binding dispatch rules per data category prevent the follow-on error.

Mistake six: repeated requests are classified as excessive without examination. The threshold is high. Without documentation of the history, the refusal is open to challenge. An access register preserves the history and supplies arguments.

Anyone still managing access requests in Outlook mailboxes and Excel lists today is building up risk. Supervisory authorities increasingly examine not only the outcome but the process. Reproducibility, adherence to deadlines and evidence-keeping are the three levers.

With the CIVAC platform and Officer-as-a-Service you receive an access module with a point of receipt, a deadline calculator, identity-verification logic, a data map per processing activity, response templates, redaction documentation and secure dispatch. The deed of appointment, signed, filed, demonstrable, sits in the same workspace next to the record of processing activities under Art. 30 GDPR. This turns every single request into a documented operation rather than a fire drill.

You have two paths: license the workspace for your internal officers, or have our officers appointed. In the second model CIVAC takes over the operational handling, you retain visibility and management retains responsibility. In both cases the access process is productive within two working days, with 37 ready-to-use audit templates and complete evidence in the audit.

Turn reading into a mandate. Write to info@civac.de or use the contact form at civac.de if your organisation would like to set up the process cleanly or outsource it.