What is GDPR Article 15 (Right of Access)?
GDPR Article 15 grants data subjects the right to obtain confirmation of whether their personal data is being processed and, if so, access to that data along with specific information about the processing.
Article 15 of the GDPR establishes the right of access by the data subject, which is one of the most frequently exercised data subject rights. It grants individuals the right to obtain confirmation from a data controller as to whether their personal data is being processed. If processing is taking place, the data subject has the right to access the personal data along with information about the purposes of processing, the categories of data concerned, the recipients or categories of recipients, the envisaged storage period, the existence of other rights (erasure, rectification, restriction, objection), the right to lodge a complaint with a supervisory authority, the source of the data if not collected from the data subject, and information about automated decision-making including profiling.
Controllers must provide a copy of the personal data undergoing processing free of charge in a commonly used electronic format when the request is made electronically. Additional copies may be subject to a reasonable fee. The response must be provided without undue delay and within one month of receipt, extendable by two further months for complex or numerous requests. Controllers must also verify the identity of the requester to prevent unauthorized disclosure.
Data subject access requests can be operationally challenging, especially for large organizations with data spread across many systems. SearchIQ enables organizations to quickly locate all data associated with a data subject, while DiscoverIQ maintains a comprehensive inventory to ensure no data repositories are missed when fulfilling access requests.
Relevant Regulations
How IQWorks Helps
Related Terms
Right of Access
The right of access grants individuals the ability to obtain from an organization confirmation of whether their personal data is being processed and to receive a copy of that data along with key details about the processing.
Data Subject Rights (DSR)
Data Subject Rights are the legal rights granted to individuals under data protection laws, enabling them to control how their personal data is collected, used, stored, and shared by organizations.
Data Subject Access Request (DSAR)
A Data Subject Access Request is a formal request made by an individual to an organization to obtain confirmation of whether their personal data is being processed and, if so, to receive a copy of that data along with details about how it is used.
GDPR (General Data Protection Regulation)
The General Data Protection Regulation is the European Union's comprehensive data protection law that sets strict rules for how organizations collect, store, and process personal data of EU residents, with fines up to 4% of annual global turnover.
Data Discovery
Data discovery is the automated process of identifying and cataloging personal data across an organization technology landscape, including databases, file systems, cloud storage, and SaaS applications.