Article 15 of the General Data Protection Regulation gives individuals the legal right to ask what personal data you hold about them and receive a copy of it.
These inquiries are formally known as Data Subject Access Requests (DSARs). Anyone whose data you process can submit one at any time, and you must normally fulfil it without charging a fee. Managing these demands requires a strict internal process and a solid grasp of your regulatory obligations.
The sheer volume of access requests has surged dramatically over the past few years. Industry data from Termly indicates a 222% increase in GDPR requests between 2021 and 2024, pushing the average number of requests per website to 61 annually.
Failing to answer a DSAR correctly exposes your business to severe financial and legal risks. Supervisory authorities treat the right of access as a foundational element of privacy law. A delayed or incomplete response routinely triggers regulatory investigations and substantial administrative fines. Deliberately concealing information to avoid disclosure can even result in criminal prosecution in certain jurisdictions.
You must have a clear strategy to identify, process, and fulfil these requests within the statutory deadlines.
What Does Article 15 Require You to Disclose?
The right of access covers much more than just a raw data export. Article 15(1) of the GDPR dictates that you must confirm whether you process the person's data and provide a broad set of supplementary information.
You are legally required to disclose the following details when responding:
- The specific purposes of your processing activities.
- The categories of personal data you hold.
- The recipients or categories of recipient to whom the data has been or will be disclosed, particularly those in third countries.
- The envisaged retention period, or the criteria used to determine that period.
- Information regarding the source of the data if you did not collect it directly from the individual.
- The existence of automated decision-making, including profiling, and meaningful information about the logic involved.
You must provide a copy of the personal data undergoing processing, usually in a commonly used electronic format like a CSV or PDF file. You cannot charge for this first copy, though Article 15(3) permits a reasonable fee based on administrative costs for any further copies requested by the same person.
A frequent mistake is assuming you must hand over every internal document mentioning the person's name. The European Court of Justice clarified in 2023 (Case C-487/21) that the term copy relates to the personal data itself, not the original documents. You only need to provide full copies of documents or emails if the context is absolutely essential for the data subject to effectively exercise their rights.
Providing the correct information while withholding confidential company data or the personal data of other employees requires careful redaction.
Recognising a Valid Data Subject Access Request
A data subject does not need to use formal legal terminology to trigger your obligations.
They do not have to mention "Article 15", "GDPR", or even "DSAR" in their communication. If an individual asks "What information do you hold on me?" or "Send me everything you have on my account," the legal clock starts ticking immediately. The request can arrive via email, a contact form, social media, or even verbally during a phone call with your support team.
The statutory deadline for responding is one calendar month from the day you receive the request. You can extend this by a further two months if the request is particularly complex or if the individual has submitted multiple overlapping requests. You must notify the data subject of this extension and the reasons for it within the initial one-month window.
Verifying the identity of the requester is your first operational hurdle.
The European Data Protection Board (EDPB) states in its Guidelines 01/2022 that you should not ask for more personal data than necessary to confirm an identity. Demanding a copy of a passport or national ID card is generally considered disproportionate if you can verify the person through an existing customer account portal or by sending a secure confirmation link to their registered email address.
Handling Requests via Third-Party Portals and Proxies
Data subjects frequently use automated services or solicitors to submit requests on their behalf.
When you receive a DSAR from a third-party portal, you must establish that the service has the legal authority to act for the individual. The Information Commissioner's Office warns that you should not simply release data blindly. You must verify the person's identity and ensure they genuinely agreed to have their data uploaded to the specific portal.
Providing data to an unauthorised third party constitutes a severe personal data breach.
If you have reasonable grounds to doubt the authorisation, you should pause the request and ask the portal for concrete evidence of their mandate. You can also contact the individual directly to confirm they initiated the process. Bypassing the portal and sending the data directly to the individual's known email address often provides a safer alternative.
Exercise extreme caution when dealing with requests submitted on behalf of children.
The Rising Trend of Hostile Access Requests
Many individuals submit access requests simply to understand how a business uses their data.
A growing percentage of DSARs are completely weaponised by disgruntled customers or former employees. A 2025 survey by TransPerfect Legal revealed that roughly 80% of the employee DSARs they handle are directly tied to parallel claims, such as tribunal proceedings or settlement negotiations. Legal practitioners in Germany note that nearly one in three dismissal protection actions now includes a supplementary DSAR claim under Article 15.
Responding to a hostile employee request involves searching through years of emails, HR files, and internal communications.
The EDPB has taken a strict stance on the effort required to locate this data. According to the final version of their guidelines adopted in 2023, the EU GDPR contains no general exemption for proportionality. If a data subject asks for all their data, you must search through all IT and non-IT filing systems, regardless of the administrative burden, unless you can prove the request is "manifestly unfounded or excessive".
Proving a request is excessive requires a very high threshold of evidence.
How the UK DUAA Limits Search Obligations
The regulatory environment in the United Kingdom recently diverged from the European Union approach.
In June 2025, the UK passed the Data (Use and Access) Act (DUAA), which amended the UK GDPR to provide businesses with some operational relief. The Act inserted a new Article 15(1A) which explicitly states that a data subject is only entitled to personal data based on a "reasonable and proportionate" search. This codified existing UK case law and significantly reduced the administrative burden of handling voluminous employee requests.
The DUAA also formally introduced a "stop the clock" mechanism.
If you need to ask the requester for clarification because you process a vast amount of information about them, the one-month deadline pauses until they provide that clarification. You must still act promptly to request this clarity rather than waiting until the end of the month.
These changes mean your compliance strategy must adapt depending on whether you are responding under the EU GDPR or the UK GDPR.
Exemptions to the Right of Access
You do not always have to disclose every piece of personal data you hold.
Both the EU and UK GDPR contain specific exemptions designed to protect competing interests. Article 15(4) explicitly states that the right to obtain a copy must not adversely affect the rights and freedoms of others. If releasing a document exposes the personal data of a colleague or breaches corporate intellectual property, you must redact that specific information before disclosure.
Applying an exemption requires a documented, case-by-case analysis.
You cannot apply blanket refusals across an entire DSAR simply because some documents contain sensitive commercial information. The 2025 TransPerfect Legal survey highlighted that 75% of compliance professionals rely heavily on regulatory guidance when applying exemptions like legal professional privilege or management forecasting. If you decide to withhold data, you must explain your reasoning to the data subject and inform them of their right to complain to the supervisory authority.
Recent Enforcement Actions and Penalties
Data protection authorities actively penalise organisations that mishandle access requests.
In 2025, the UK Information Commissioner's Office (ICO) took public enforcement action against both Bristol City Council and South West Police. Both public sector bodies had failed to respond to hundreds of DSARs within the statutory timeframes over several years. These delays caused significant distress to the individuals involved and demonstrated a systemic failure in the organisations' compliance workflows.
Civil fines and reprimands are no longer the only risk you face.
An unreported ICO action in September 2025 marked the regulator's first criminal prosecution under section 173 of the Data Protection Act 2018. Under this specific section, it is a criminal offence to intentionally alter, erase, block, or conceal information with the intention of preventing its disclosure in response to a DSAR. This case proved that deliberate obstruction can lead to personal criminal liability for directors and employees, punishable by severe fines or imprisonment.
You must train your staff to never delete emails or records simply because a difficult access request has arrived.
Preparing Your Infrastructure for Compliance
Handling access requests manually is no longer viable for most digital businesses.
You must establish a dedicated, documented procedure for logging and fulfilling DSARs before a complex request lands in your inbox. This process should map exactly where personal data resides across your databases, marketing platforms, and third-party software applications. If a user asks for their data, your engineering or compliance team needs a straightforward way to extract it without manually querying dozens of separate systems.
Reviewing your data retention policies heavily reduces your DSAR workload.
If you systematically delete old, unnecessary personal data, it cannot fall within the scope of a future access request. You cannot disclose what you no longer possess. Combining tight retention schedules with automated extraction tools lowers your risk profile significantly.
Clear communication with the data subject often prevents a standard request from escalating into a formal regulatory complaint.
Comparing EU and UK Approaches to DSARs
The differences between the jurisdictions dictate how you allocate internal resources.
| Regulatory Feature | EU GDPR (Article 15) | UK GDPR (Post-DUAA 2025) |
|---|---|---|
| Search Scope | No general proportionality limit. You must search all systems. | Limited explicitly to a "reasonable and proportionate" search. |
| Clarification Delays | The response clock continues running unless ID verification is pending. | Formal "stop the clock" mechanism pauses the deadline during clarification. |
| Identity Verification | Strict limits on requesting additional physical ID documents. | Similar strict limits, with a pragmatic approach to third-party portals. |
| Fee Charging | Only permitted if the request is "manifestly unfounded or excessive". | Only permitted if the request is "manifestly unfounded or excessive". |
If your website serves users in both regions, you must carefully categorise incoming requests to apply the correct legal standard. Adopting a unified approach based solely on the strictest interpretation often creates unnecessary operational bottlenecks.
Integrating DSARs with Cookie Compliance
Consent records generated by your cookie banner are personal data.
When an individual submits a DSAR, they have the right to know what tracking technologies you deployed on their device and when they consented to them. If you drop functional cookies or analytics trackers without logging a proper consent trail, you will struggle to provide an accurate response under Article 15. The requester will easily spot that their data was processed unlawfully.
If you need to audit your current tracking setup, the Kukie.io features page outlines how our platform logs granular consent choices for every visitor.
You can then export these consent receipts to fulfil that specific portion of a DSAR. Providing clear, timestamped proof of consent demonstrates to both the user and the regulator that your data governance is mature and compliant.
Maintaining a clean cookie strategy is the first line of defence against privacy complaints.
Frequently Asked Questions
How many days do you have to respond to a DSAR?
You must respond to a Data Subject Access Request without undue delay and at the latest within one calendar month of receipt. This period can be extended by a further two months for complex or numerous requests, provided you inform the individual within the first month.
Can I charge a fee for a Subject Access Request?
In almost all cases, you must provide the information free of charge. You can only charge a reasonable administrative fee if the request is manifestly unfounded, excessive, or if the individual asks for further copies of data you have already provided.
Do I have to provide physical copies of documents in a DSAR?
No, you are only required to provide a copy of the personal data itself, not the original documents containing the data. If the request is made electronically, you should provide the data in a commonly used electronic format like a secure PDF or CSV file.
What is the difference between Article 15 and Article 17?
Article 15 of the GDPR grants the right of access, allowing individuals to see what data you hold about them. Article 17 grants the right to erasure (the right to be forgotten), allowing individuals to request that you delete their personal data.
Can an employee submit a DSAR during a tribunal claim?
Yes, employees can submit an access request even if they are involved in active litigation or tribunal proceedings against you. You cannot refuse a valid request simply because the data might be used in a legal dispute.
What happens if I ignore a Data Subject Access Request?
Ignoring a DSAR is a breach of the GDPR. The individual can complain to your national supervisory authority, which can issue a formal reprimand, mandate compliance, or impose severe administrative fines.
Take Control of Your Cookie Compliance
If you are struggling to maintain clear consent records, you expose your website to regulatory risk during access requests. Kukie.io scans your website, categorises your trackers, and logs user preferences securely so you can prove compliance at a moment's notice.
