The right of access is one of the most important ones in the GDPR, not only because refusing to disclose data to a data subject can result in penalties, but also because it is a precursor to other rights like erasure or rectification.

When confronted with an access request, a data controller should first verify whether any data of the data subject is being processed. If the answer is positive, a series of information should be provided. For instance, one should include the categories of personal data being processed, the purposes of the processing, the recipients of the data, the planned duration of storage, and if the data is transmitted to a third country, especially if the country is outside of the EU. Furthermore, the provided information should include the rights the data subject has with regards to their data such as rectification, erasure, information, the right to know if any automated-processing is performed, and what safeguards are taken.

Article 12 states that the information can be provided electronically, verbally or in written. Furthermore, it should be provided without undue delay, within a month from the receipt of the request. If the access request is unjustified, or if excessive requests are made, a controller has the right to refuse.

Articles: 12, 15, 46.

Recitals: 58,63,64,73.