In an age shaped by artificial intelligence, algorithmic decisions and relentless data breaches, many people still do not realise they hold a powerful legal right. The ability to ask any organisation what personal information it keeps about them.
This right is known as a Subject Access Request, often called the right of access. It sits at the centre of modern data protection law and gives individuals a practical audit tool, a way to look behind the curtain and see how decisions are made about their lives. Complaints about access requests remain among the most common issues handled by regulators such as the Irish Data Protection Commission and the UK Information Commissioner’s Office, and courts across Ireland, the United Kingdom and Europe have repeatedly confirmed that organisations must treat this right seriously.
The legal foundation comes from Article 15 of the General Data Protection Regulation. It gives individuals the right to know whether an organisation processes their personal data and to receive a copy of that data together with information explaining how it has been used. Recital 63 explains the purpose clearly. Individuals must be able to verify the lawfulness of processing. In plain terms, the law allows people to see how their data is used in the digital economy.
European courts have also confirmed that personal data is far broader than most people assume. Exam scripts, CCTV footage, internal emails, customer service notes, HR files and even recorded opinions about a person can all fall within the definition. In practice, personal data may include almost any record linked to an identifiable individual.
Asking for your data is easier than most people think. A request does not need legal language or a special form. A short email stating, “Please provide a copy of all personal data you hold about me under Article 15 GDPR,” is legally valid. Requests can be made by email, letter or even verbally. Once any part of an organisation receives a request capable of being understood as a Subject Access Request, the legal clock begins.
Many organisations still believe they can refuse broad requests because they are time consuming or expensive. Courts have rejected this idea. Cost and inconvenience alone are not valid reasons to deny access. Where large volumes of data are involved, organisations may ask the requester to clarify the scope to make searching easier, but they must still carry out reasonable and proportionate searches.
Article 15 requires organisations to provide confirmation that personal data is processed, a copy of that data and information explaining how it is used. The copy must be intelligible and meaningful. This is why organisations often provide emails, reports and records rather than simple summaries. The aim is transparency, not token disclosure.
Organisations must respond within one month of receiving a request. They may extend this by up to two further months where requests are complex, but they must inform the requester within the first month and explain why. Regulators continue to take enforcement action where organisations allow backlogs to develop or fail to respond properly.
In most cases organisations cannot charge a fee for providing the first copy of personal data. A fee may only be charged where requests are manifestly unfounded or excessive, which is a high legal threshold. Organisations can ask for identification if there is reasonable doubt about identity, but the request must be proportionate. Demanding excessive documentation may itself breach data protection law.
The right of access is powerful but not absolute. Organisations may redact other people’s personal data, confidential references and legally privileged material. This balancing exercise protects both transparency and fairness.
Subject Access Requests are more than a technical legal right. They allow people to check records, understand decisions and challenge unfair treatment. In a society increasingly shaped by data, transparency is not a luxury but a foundation of trust. Courts and regulators across Europe are sending a consistent message that the right of access must be respected in practice, not merely acknowledged in policy.
For the public, the lesson is simple. If you have ever wondered what an organisation knows about you, the law gives you the right to ask and the right to receive an answer. In the digital age, transparency is power, and sometimes that power begins with a single email.
This article is provided for general information purposes only and does not constitute legal advice. Specific advice should be sought in relation to particular circumstances.
