Right of Access (Article 15)

Right of Access (Article 15) – Complete Guide for CIPP/E Exam Preparation

Introduction

The Right of Access under Article 15 of the General Data Protection Regulation (GDPR) is one of the most foundational and frequently tested data subject rights in the CIPP/E exam. It empowers individuals to obtain confirmation as to whether their personal data is being processed and, if so, to access that data along with key supplementary information. Understanding this right in depth is essential not only for exam success but also for practical data protection compliance.

Why Is the Right of Access Important?

The Right of Access is a cornerstone of data protection law for several important reasons:

1. Transparency and Accountability: It ensures that data controllers cannot process personal data in secrecy. Individuals have the right to know what is being done with their data, reinforcing the GDPR's core principle of transparency (Article 5(1)(a)).

2. Empowerment of Data Subjects: The right enables individuals to verify the lawfulness of processing. Without knowing what data is held about them, individuals cannot effectively exercise other rights such as rectification, erasure, or objection.

3. Gateway Right: The Right of Access is often described as a gateway right because it enables data subjects to understand the scope and nature of processing, which in turn facilitates the exercise of other rights under the GDPR (e.g., the right to rectification under Article 16, or erasure under Article 17).

4. Trust Building: Organisations that handle access requests efficiently and transparently build trust with their customers, employees, and other stakeholders.

5. Regulatory Significance: Supervisory authorities closely scrutinise how organisations handle Subject Access Requests (SARs). Failure to comply can lead to enforcement action, including significant fines.

What Is the Right of Access (Article 15)?

Article 15 of the GDPR provides data subjects with two primary entitlements:

1. Confirmation of Processing:
The data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning them is being processed.

2. Access to Personal Data and Supplementary Information:
Where personal data is being processed, the data subject has the right to access:

• The personal data itself;
• The purposes of the processing;
• The categories of personal data concerned;
• The recipients or categories of recipients to whom the personal data has been or will be disclosed, in particular recipients in third countries or international organisations;
• Where possible, the envisaged period for which the personal data will be stored, or if not possible, the criteria used to determine that period;
• The existence of the right to request rectification, erasure, restriction of processing, or to object to processing;
• The right to lodge a complaint with a supervisory authority;
• Where the personal data is not collected from the data subject, any available information as to the source of the data;
• The existence of automated decision-making, including profiling, as referred to in Article 22(1) and (4), and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

3. International Transfers (Article 15(2)):
Where personal data is transferred to a third country or to an international organisation, the data subject has the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.

4. Right to a Copy (Article 15(3)):
The controller must provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.

5. Rights of Others (Article 15(4)):
The right to obtain a copy shall not adversely affect the rights and freedoms of others. This is a critical limitation – controllers must balance the data subject's right of access against the rights of third parties whose data may appear in the same documents.

How Does the Right of Access Work in Practice?

Step 1: Receiving the Request
• A Subject Access Request (SAR) can be made verbally or in writing. There is no requirement for the data subject to use a specific form or even to reference Article 15 or the GDPR explicitly.
• The controller should have mechanisms in place to recognise and log SARs across all communication channels (email, phone, social media, in person).

Step 2: Verifying Identity
• The controller must verify the identity of the person making the request, especially where the controller has reasonable doubts about the identity. The controller may request additional information necessary to confirm identity (Article 12(6)).
• However, the controller should not use identity verification as a barrier to delay or refuse requests. The verification measures should be proportionate.

Step 3: Timeframe for Response
• The controller must respond without undue delay and in any event within one month of receipt of the request (Article 12(3)).
• This period may be extended by two further months where necessary, taking into account the complexity and number of requests. The controller must inform the data subject of any extension within one month of receipt, along with the reasons for the delay.
• If the controller does not act on the request, it must inform the data subject without delay and at the latest within one month, providing the reasons and informing them of the right to lodge a complaint with a supervisory authority and seek a judicial remedy.

Step 4: Cost
• The first copy of personal data must be provided free of charge (Article 15(3)).
• For additional copies, a reasonable fee based on administrative costs may be charged.
• Where requests are manifestly unfounded or excessive, particularly where repetitive, the controller may either charge a reasonable fee or refuse to act on the request (Article 12(5)). The burden of proof for demonstrating the manifestly unfounded or excessive nature rests with the controller.

Step 5: Format of Response
• Information should be provided in a concise, transparent, intelligible, and easily accessible form, using clear and plain language (Article 12(1)).
• If the request is made electronically, the response should be provided in a commonly used electronic form, unless the data subject requests otherwise.
• Oral information may be provided where the data subject requests it, provided the identity of the data subject is confirmed by other means.

Step 6: Searching for and Compiling Data
• The controller must conduct a reasonable and proportionate search across all relevant systems – both automated and manual filing systems that fall within the scope of the GDPR.
• All categories of personal data must be included, not just the obvious structured data (e.g., emails, CCTV footage, HR records, notes, call recordings).

Step 7: Redaction and Third-Party Data
• Where the personal data of the requesting data subject is intertwined with data about other individuals, the controller must carefully redact or anonymise third-party data to protect their rights and freedoms, unless those third parties have consented to the disclosure.

Key Limitations and Exceptions

While Article 15 grants broad rights, there are several limitations to be aware of:

• Manifestly Unfounded or Excessive Requests (Article 12(5)): Controllers can charge a fee or refuse. The bar for 'manifestly unfounded or excessive' is high and the controller bears the burden of proof.

• Rights and Freedoms of Others (Article 15(4)): The right to a copy must not adversely affect others. This requires a balancing exercise.

• Recital 63: States that the right of access should not adversely affect the rights or freedoms of others, including trade secrets or intellectual property, particularly copyright protecting software. However, these considerations should not result in a refusal to provide all information to the data subject.

• Member State Derogations: Under Article 23, Member States may introduce legislative restrictions on the Right of Access for reasons such as national security, defence, public security, prevention and detection of criminal offences, important economic or financial interests, and other grounds specified in that article.

• Repetitive Requests: The GDPR does not explicitly limit how often a data subject may make a SAR, but the 'manifestly excessive' provision addresses repetitive requests.

Relationship to Other GDPR Provisions

• Article 12 (Transparent Information, Communication, and Modalities): Sets out the general framework for how controllers must facilitate the exercise of data subject rights, including timeframes, costs, format, and how to handle manifestly unfounded or excessive requests. Article 12 applies to Article 15 and all other data subject rights.

• Article 11 (Processing Which Does Not Require Identification): If the controller can demonstrate that it is not in a position to identify the data subject, Articles 15 to 20 shall not apply, except where the data subject provides additional information enabling identification.

• Article 13 and 14 (Information to Be Provided): While Articles 13 and 14 relate to the proactive provision of information at the time of data collection, Article 15 is a reactive right exercised on request.

• Article 20 (Right to Data Portability): Distinct from the Right of Access. Portability applies only to data provided by the data subject, processed by automated means, and on the legal basis of consent or contract. The Right of Access is broader in scope.

• Article 22 (Automated Decision-Making): Article 15(1)(h) specifically requires controllers to inform data subjects about the existence of automated decision-making, including profiling, and provide meaningful information about the logic involved.

Important Case Law and Guidance

• CJEU – Case C-434/16 (Nowak): The Court of Justice of the EU clarified that answers written by a candidate in a professional examination, and any examiner's comments, constitute personal data. This case underscores the broad interpretation of personal data in the context of access requests.

• CJEU – Case C-154/21 (Österreichische Post): The Court held that under Article 15(1)(c), the data subject has the right to know the specific identity of the recipients to whom their data has been disclosed, not merely the categories of recipients, unless it is impossible to identify the recipients or the request is manifestly unfounded or excessive.

• European Data Protection Board (EDPB) Guidelines 01/2022 on Data Subject Rights – Right of Access: These comprehensive guidelines provide detailed practical guidance on the scope of the Right of Access, including the nature of the right, the supplementary information to be provided, the process for handling SARs, timeframes, and exemptions.

Practical Challenges for Organisations

• Handling large volumes of SARs, especially for large employers or online platforms.
• Searching across multiple systems (CRM, email, backup systems, paper files, CCTV).
• Balancing the rights of the data subject against third-party rights and legal privilege.
• Dealing with vague or broad requests – controllers may ask for clarification to narrow the scope, but cannot use this to refuse the request.
• Responding within the one-month deadline, particularly for complex requests.
• Ensuring consistency in responses across the organisation.

Exam Tips: Answering Questions on Right of Access (Article 15)

The following tips will help you maximise your marks on CIPP/E exam questions related to Article 15:

1. Know the Two-Part Structure: Always remember that Article 15 provides (a) the right to confirmation of processing and (b) the right to access the data and supplementary information. Exam questions may test whether you understand both elements.

2. Memorise the Supplementary Information List: Be familiar with the full list of supplementary information in Article 15(1)(a)–(h). Exam questions often ask what information a controller must provide alongside the personal data. Key items include: purposes, categories of data, recipients, retention periods, rights available, source of data, and automated decision-making.

3. Distinguish Access from Portability: A common exam trap is confusing the Right of Access (Article 15) with the Right to Data Portability (Article 20). Remember that portability is narrower – it applies only to data provided by the data subject, processed on the basis of consent or contract, and by automated means. Access is broader and covers all personal data.

4. Know the Timeframes: One month to respond, extendable by two further months. If extending, the controller must inform the data subject within the initial one-month period with reasons.

5. Understand the Fee Rules: First copy is free. Additional copies may attract a reasonable fee. Manifestly unfounded or excessive requests may be charged or refused – but the controller bears the burden of proof.

6. Remember the Electronic Format Rule: If the request is made electronically, the response should be in a commonly used electronic form unless the data subject requests otherwise. This is a frequently tested detail.

7. Third-Party Rights Limitation: Article 15(4) – the right to obtain a copy must not adversely affect the rights and freedoms of others. Be prepared to apply this in scenario questions where personal data of multiple individuals is intertwined.

8. Identity Verification: The controller may request additional information to verify identity under Article 12(6), but only where there are reasonable doubts. This should not be used as a pretext to delay or obstruct.

9. No Formality Required: Data subjects do not need to use specific wording, cite Article 15, or use the term 'subject access request.' If a communication amounts to a request for access to personal data, it triggers Article 15 obligations.

10. Link to Article 12: Many procedural aspects (timeframes, costs, format, refusal) are governed by Article 12, not Article 15 itself. Be sure to understand the interplay between these two articles.

11. Know the Recitals: Recital 63 is particularly important. It clarifies that the right of access should be exercised at reasonable intervals and that trade secrets and intellectual property should not result in a blanket refusal to provide information.

12. Member State Derogations (Article 23): Be aware that Member States can restrict the Right of Access for specific purposes (e.g., national security, criminal investigations). Exam questions may test whether you know that such restrictions are possible and under what conditions.

13. Watch for Scenario-Based Questions: The CIPP/E exam frequently uses scenario-based questions. When encountering a scenario about a SAR, systematically consider: (a) Is the request valid? (b) Can the controller verify identity? (c) What data must be provided? (d) What supplementary information is required? (e) Are there any exemptions or limitations? (f) What is the timeframe? (g) What format should the response take?

14. Österreichische Post Case: Remember that data subjects are entitled to know the specific identity of recipients, not just the categories. This is a high-profile CJEU ruling that may be tested.

15. Practice with Process of Elimination: For multiple-choice questions, eliminate answers that confuse Article 15 with other rights, that apply incorrect timeframes, or that incorrectly state that a fee is always required or that requests must be in writing.

Summary

The Right of Access under Article 15 is a fundamental pillar of the GDPR's data subject rights framework. It provides individuals with the power to obtain confirmation of processing, access their personal data, and receive detailed supplementary information about how their data is used. For the CIPP/E exam, a thorough understanding of Article 15 – including its scope, procedural requirements under Article 12, limitations, and relationship to other GDPR provisions – is essential. Focus on the details: the list of supplementary information, the distinction from data portability, timeframes, costs, format requirements, and the balancing of third-party rights. With this comprehensive knowledge, you will be well-prepared to tackle any exam question on this critical topic.