GDPR Article 15: Handling Access Requests in the UK

If you’re a business owner in the UK, there’s a good chance you’ve heard of the GDPR – but do you know what it really means when someone asks for access to their data?

The right of access (found in Article 15 of the GDPR) is one of the cornerstones of data protection law. In plain English, it gives people the power to find out exactly what personal data you hold about them and how it’s used. For businesses of any size, understanding Article 15 GDPR – and knowing how to respond to these so-called ‘subject access requests’ – is crucial for staying compliant and building trust with your customers.

Don’t panic if GDPR feels daunting! In this guide, we’ll break down:

• What Article 15 GDPR is really all about
• What you need to tell individuals when they ask for their data
• How to handle these requests in practice (without tripping up legally)
• Common pitfalls, exceptions, and best practices for staying out of trouble

Let’s demystify your obligations and show you how to handle GDPR rights of access requests in a way that keeps your business protected.

What Is Article 15 GDPR and Why Does It Matter?

Article 15 GDPR, often called the ‘right of access’, gives anyone (the “data subject”) the right to ask an organisation (the “data controller”) whether it processes their personal data – and if so, to provide:

• Confirmation that you hold or process their data
• A copy of that data
• Certain details about how and why it’s being processed, who it’s shared with, and much more

This isn’t an optional extra – it’s a fundamental individual’s right under UK GDPR, designed to promote transparency and accountability. The right of access under Article 15 empowers individuals to:

• Find out what information a business holds about them
• Understand how and why their data is used
• Check that their data is being lawfully processed

If you run a business and process the personal data of customers, staff, or anyone else, you must be ready to handle access requests. Failing to do so correctly can lead to complaints, regulatory investigations, and even hefty fines from the Information Commissioner’s Office (ICO).

What Information Must You Provide in a GDPR Article 15 Response?

So, what does a proper Article 15 GDPR response include? Let’s break down the essentials. Under Article 15, you need to provide clear and comprehensive answers to these main points:

• Whether You Process Their Data: Confirm if you’re handling their personal information at all.
• Copy of Personal Data: Supply an electronic or hard copy of the individual’s personal data you hold. This covers everything from basic contact info to emails, purchase histories, and more – if it qualifies as ‘personal data’ under GDPR.
• Purpose of Processing: Why are you holding or using this personal data?
• Categories of Personal Data: What types of information do you process (for example, name; contact details; payment history; CCTV footage)?
• Recipients or Categories of Recipients: Who have you shared the data with? This includes third parties and any transfers outside the UK or the EEA.
• Storage Periods: How long will you keep the data, or what criteria do you use to decide?
• Rights of the Individual: Explain their rights to rectify, erase, restrict, or object to processing – and their right to complain to the ICO.
• Source of Data: If you didn’t collect the data directly from them, where did you get it?
• Automated Decision-Making/Profiling: If you use profiling or make automated decisions that have legal or significant effects, explain how this works, what logic is involved, and the consequences for the individual.
• International Safeguards: If data is transferred outside the UK/EEA, what protections do you have in place?

The ICO provides detailed guidance on these points, and it’s important to tailor your response to match the specifics of the request and the data you actually hold.

For a more in-depth look at what counts as personal data or automated processing, see our guide on Everything You Need To Know About GDPR.

How Should Data Controllers Respond to Article 15 Requests?

No matter your business size, you need a clear, compliant process for handling access requests. Here’s what the law expects:

1. Verification of Identity

Before releasing any information, you should take ‘reasonable steps’ to verify that the person making the request is the data subject (the individual the data belongs to). This helps prevent unauthorised disclosure. Be proportionate – if the information you hold is sensitive, ask for more proof.

2. Clear, Understandable Responses

Your reply should be written in simple language – avoid jargon or legalese. The aim is to make your response truly accessible, whether you answer in writing or electronically (for example, via email or a secure portal).

3. Timely Replies

You must respond ‘without undue delay’ and at the latest, within one month of receiving the request. If a request is complicated or you receive multiple requests from the same individual, you may extend by a further two months – but you must tell the individual within the first month and explain why.

4. Free of Charge (in Most Cases)

The first copy of the information must be provided free of charge. You can charge a ‘reasonable fee’ for any further copies, but only if it reflects your administrative costs. Be careful – charging inappropriately can land you in hot water with the ICO.

5. Secure Delivery

Where possible, return the information in the format requested by the individual, especially if they submit their subject access request by electronic means. Remember, handling personal data “securely” is also a key GDPR obligation.

If you’re unsure, you can learn more in our resource on Customer Data Protection and our guide to data privacy impact assessments.

What Are the Limits and Exceptions to Article 15 GDPR?

It’s important to know that the right of access isn’t absolute. GDPR recognises the need to balance transparency with the rights and freedoms of others. Here are some notable limitations:

• Third-Party Data: You must avoid disclosing information about other individuals, except where it is reasonable to do so or the third party has consented. If redacting third-party details is possible, do so rather than refusing the request entirely.
• Intellectual Property and Trade Secrets: If responding would reveal business secrets or confidential know-how, you may be allowed to withhold all or part of the information – but this has to be balanced against the data subject’s rights. Seek legal advice if you’re unsure, as this can get tricky.
• Manifestly Unfounded or Excessive Requests: If someone makes repeated, excessive, or obviously unreasonable requests, you can refuse – or charge a reasonable fee for the costs incurred. However, you need to be able to justify your decision, and you must respond explaining why you won’t fulfil the request.
• Special Laws or Exemptions: Other UK laws, such as those relating to immigration, professional confidentiality, or law enforcement, may restrict the right of access in certain circumstances. Again, check the detail before rejecting any request.

If you find yourself facing a request you think might fall under one of these, we strongly recommend speaking to a data protection expert before you respond.

Best Practices for Handling Subject Access Requests in Your Business

To handle Article 15 GDPR requests smoothly (and legally), it makes sense to invest in some straightforward compliance steps. It’s also a good idea to make it easy for individuals to find out how to make a request to you (for example, via a dedicated page or contact form on your website).

1. Have a Clear, Written Procedure

Every business should have a Subject Access Request (SAR) Policy in place. This outlines how requests are identified, verified, processed, and recorded. Doing this doesn’t just help your staff – it also demonstrates accountability to the ICO if your procedures are ever scrutinised.

2. Train Your Team

Don’t keep GDPR compliance in a drawer! Make sure all staff (especially those who deal with customer queries) know how to recognise and escalate access requests, even if they arrive informally or on social media.

If you employ staff, consider building subject access handling into your wider workplace policies and staff handbooks.

3. Maintain Records

Keep a log of all access requests received, together with your responses, decisions, and any extensions or refusals (with reasons). This not only helps you manage deadlines, but may be required evidence if a complaint is made to the ICO.

4. Plan for Complex Scenarios

Think ahead to scenarios like:

• Requests that cover huge volumes of data (e.g. email archives, files, CCTV)
• People asking for data held in archived or backup systems
• Requests that also overlap with employee data, or where information includes references to third parties

Having clear procedures will help you agree timeframes with the requester or explain why some redactions are necessary.

5. Update Privacy Information

Make sure your Privacy Policy sets out how individuals can exercise their right of access, as well as what data you hold and how they can contact you. Being transparent up-front usually means fewer complicated access requests.

The Importance of Transparency and Building Trust

While dealing with subject access requests can seem like a chore, it’s actually an opportunity to show your customers that you take their privacy seriously. A clear and prompt response will:

• Increase trust and customer satisfaction
• Reduce the risk of complaints and regulatory action
• Position your business as responsible and GDPR-compliant

The spirit of Article 15 is all about transparency – making sure people are never left in the dark about what’s happening with their data. By acting proactively and treating every request with care, you’ll strengthen your reputation and avoid the headaches that come with non-compliance.

Summary Table: Article 15 GDPR Requirements

Requirement	Description
Right of Access	Individuals can request confirmation of processing and a copy of personal data.
Disclosure Obligations	Must provide details on processing purposes, categories, recipients, storage periods, etc.
Automated Decision-Making	Explain profiling/logic, significance, and potential consequences.
Source of Data	Reveal if not collected from the subject directly.
International Transfers	Disclose safeguards for transfers outside the UK/EEA.
Format & Fees	First copy free, electronic format if requested; fees only for additional copies.
Timeline	Must respond within one month.
Limitations	Protection for third-party data, trade secrets, excessive requests.

Key Takeaways: GDPR Article 15 and Subject Access Requests

• Article 15 GDPR gives individuals the legal right to access their personal data, and find out exactly how and why it’s being used.
• Businesses must respond to requests within one month, providing confirmation, a copy of data, and detailed information about processing, sharing, and storage.
• It’s free to provide the first copy, but further requests may incur a reasonable administrative fee if justified.
• Always verify the identity of the requester before providing sensitive information, and watch for exceptions that may apply (especially third-party data or trade secrets).
• Keeping a clear, documented procedure and staff training programme will help you handle subject access requests smoothly – and prove your compliance if needed.
• Transparency lies at the heart of the GDPR. Proactively communicating with individuals about their rights – and how you protect their data – is good for business and compliance alike.

If you need expert advice on handling Article 15 GDPR requests, creating a robust data protection policy – or any other aspect of UK data and privacy law – our legal team is here to help.

You can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat about your legal needs. Let us help you stay protected from day one!