Ch 9.5 - Right of access

Right of access (DSAR)

Article 15 is the active counterpart to the passive right to information: on request, a data subject must be told whether their data are processed and, if so, given access plus a defined list of details. The GDPR expands the mandatory categories well beyond the Directive. Practical traps include the one-month deadline, identity verification, third-party data, requests about children and proxies, and the very high threshold before a request can be charged for or refused as manifestly unfounded or excessive.

Article 15 gives a data subject the right to confirmation of whether their data are being processed, access to that data, and a list of accompanying details. The GDPR expands these mandatory categories considerably compared with the Directive.

The purposes of the processing
The categories of personal data concerned
The recipients or categories of recipient (especially in third countries)
Where possible, the envisaged storage period, or the criteria used to set it
The existence of the rights to rectification, erasure, restriction and objection
The right to lodge a complaint with a supervisory authority
Where data were not collected from the data subject, any available information on the source
The existence of automated decision-making, including profiling, with meaningful information about the logic, significance and envisaged consequences

Operational traps in handling a DSAR
Issue	Required handling
Deadline	Respond without undue delay and within one month of receipt
Doubt about identity	Pause the process and ask only for information necessary to confirm identity (proportionality)
Request about a child	Assess the child's maturity; use clear, plain language; a parent may exercise the right where in the child's best interests
Data about other people	Protect their rights - redact, or seek their consent before disclosure
Proxy request	Disclose only once the third party's entitlement is sufficiently evidenced; document it
Manifestly unfounded/excessive	Very high threshold; may charge a reasonable fee or refuse, but must justify and document

Extension trap

In the access context the text ties the two-month extension to requests that are particularly excessive or unfounded (e.g. repeated requests from the same person). The threshold to charge a fee or refuse is described as very high.

Key terms - quick answers

What is “Subject access request (DSAR)”?

A request under Article 15 for confirmation of processing, access to the personal data, and prescribed accompanying information.

What is “Manifestly unfounded or excessive”?

The very high threshold that lets a controller charge a reasonable fee or refuse; it must be justified and documented.

What is “Proxy request”?

A subject access request made via a third party (attorney, accountant, etc.) acting on the data subject's behalf, requiring proof of entitlement.

← Transparent communication and the right to information Right to rectification →