Access to personal data

Article 15 of the Applied GDPR sets out an individual's right to access personal data which are being processed. This is commonly referred to as a subject access request. 

Individuals are not required to explain why they are exercising this right. In some instances they will exercise this right to verify the lawfulness of the processing, or to enable them to exercise further rights.

Controllers must be able to facilitate the exercise of this right and are expressly required to bring this right to the attention of individuals under their transparency obligations. Where possible, controllers should consider providing individuals with direct access to their own data, via a secure, remote system.