Access requests in business practice

Key aspects for the benefit of your company


Data subjects have a number of rights in relation to data controllers. When you receive requests from data subjects, it is important to handle them correctly to prevent them from becoming a major problem for your company and your data protection organisation. Read here about the points to bear in mind.

How must the request for information be submitted?

There are virtually no formal requirements for data subject requests. Data subjects can submit them in writing, electronically or verbally. It is important for the handling of the request to understand what the data subject is concerned about. This sounds logical, but in practice can be the first challenge. You should ask yourself what the data subjects really want. If requests from data subjects are not clear, you need to be able to interpret them. The following requests regarding data subjects' rights are particularly suitable for this purpose

·       Access in line with Art. 15 (1) GDPR

·       Provision of a copy of the data in line with Art. 15 (3) GDPR

·       Rectification pursuant to Art. 16 GDPR

·       Erasure pursuant to Art. 17 GDPR

·       Restriction of processing or blocking of their personal data (Art. 18 GDPR) or

·       Data portability (Art. 20 GDPR)

It is also possible, and in practice a frequent case, that data subjects request the restriction of their email or telephone number for web emails or calls.

The right interpretation of the data subject's request is the first step towards a good response. In order to avoid misunderstandings, it makes sense to inform the data subject of the result of the interpretation when replying. One possible phrasing could be:

"Thank you for your email. We understand your request as a request for information in accordance with Art. 15 (1) GDPR."

Let's take a closer look at the highly relevant cases of access pursuant to Art. 15 (1) GDPR and the provision of a copy of data pursuant to Art. 15 (3) GDPR.

Identity check

To ensure that the response to the access request does not itself become a compliance boomerang, it is important to only provide the information to the data subject. This is also required by Art. 12 (6) GDPR. In practice, it happens from time to time that divorced spouses, the ex, other family members or complete strangers make requests for information. Answering these without verifying your identity can easily lead to a disaster.

You should always check who you are dealing with on the other side. This is not a problem for requests from your own employees, customers you know personally or other people you know personally. If you do not know the requesting party personally, you must ask yourself whether there are reasonable doubts about their identity. This may be the case, for example, if an enquiry is sent from an email that you do not know, or if an email suggests that it is a different person because, for example, a data subject enquiry is sent from the email account sue.miller @ for the data subject Jack Russel Brown.

If there are reasonable doubts, the identity must be verified. The principle here is that the more sensitive the information to be disclosed, the higher the requirements for identification. In particular, the following can be considered

·       Requesting additional information (birthday, adress etc.)

·       Registration and confirmation via a verified account or

·       Post-/Video-Ident and sending identification documents for particularly sensitive information.

Power of attorney for access requests handled by lawyers

In practice, it is relatively common for requests for information to be made by lawyers. This is permissible. The data controller should then ensure that a power of attorney exists for making the request for information and for receiving the information. If no original power of attorney is submitted, but only a fax or similar, the information can be rejected "immediately" in accordance with Section 174 BGB (see Regional Court Stuttgart judgement of 31.03.2021 - 9 U 34/21). The information period (see below) then only begins with the submission of an original power of attorney.

If the power of attorney does not contain a clear indication that the information may also be provided to the lawyer, in case of doubt the information should not be sent to the lawyer, but directly to the person concerned.

Information to be provided

When requesting information, the first question to be answered is always whether the data subject's personal data is being processed. This must either be confirmed or denied.

If personal data is processed, the content of the information depends on what the data subject requests. Information in accordance with Art. 15 (1) GDPR, handing over copies of data in accordance with Art. 15 (3) GDPR or specially specified information. Data controllers can request/ask data subjects to specify which information is to be provided or to which processing operations the request relates. This can help to ensure that information is provided quickly and in accordance with the wishes of the data subject. However, it does not mean that data subjects are entitled to less information than originally requested.

If information is requested in accordance with Art. 15 (1) GDPR, information must be provided in accordance with the catalogue of Art. 15 (1) GDPR on

·       purposes of the processing,

·       categories of personal data being processed,

·       recipients or categories of recipients of the personal data (in doubt, at the choice of the data subjects)

·       planned retention or the criteria for determining retention

·       data subject rights and the right to lodge a complaint with a supervisory authority

·       the origin of the data,

·       the existence of automated decision-making, including profiling.

If copies of data are requested in accordance with Art. 15 (3) GDPR, copies of the data must be provided. If the request relates to documents, a copy of the document itself must also be provided in accordance with ECJ case law, insofar as this is necessary for the control of data processing.

If less than the content of Art. 15 (1) GDPR or Art. 15 (3) GDPR is requested, correspondingly less information must be provided.

Timeline and form of the information

Pursuant to Art. 12 (3) GDPR, the time limit for providing information is one month from receipt of the request for information. The deadline can be extended to up to three months in the event of particular complexity or a high number of requests. In practice, it is advisable to send a confirmation of receipt immediately after receiving a request and to announce that you will get back to us within one month in order to manage expectations and avoid complaints to data protection authorities. Of course, this is especially true if data subjects themselves set shorter deadlines.

It is important to choose a secure channel for the transmission of the information so that the content of the information is protected. The more sensitive the content, the higher the requirements. In the frequent case of transmission by email, appropriate encryption should be provided in case of doubt.

Depending on the type of communication with the data subject, the information must be provided in writing, electronically or verbally. In case of doubt, the channel chosen by the data subject or the channel that is recognisably desired should be used. As a rule, copies of data must be provided in a commonly used electronic format.

Is it possible to reject access requests?

There are cases in which access may be rejected or made subject to paying a fee. These are

·       obviously unfounded requests and

·       excessive requests.

These exceptions are rare and are applied very cautiously in case law. It is therefore a very blunt sword to defend yourself against requests for information.

What happens if you do not provide information?

Unanswered requests for information are the breaking point of any data protection organisation and should be avoided. Especially if there is already a conflict with data subjects, unanswered requests for information often end up with the data protection authorities. You should then have a good justification - or excuse - ready, otherwise you could face fines of up to EUR 20 million or 4% of the company's turnover. Those affected can also claim material and immaterial damages. The first judgements have been handed down in which claims for damages for late information have been awarded, e.g. EUR 10,000 by the Oldenburg Labour Court in its judgement of 9 February 2023 - Ref. 3 Ca 150/21.