According to the GDPR, you have a right to access the personal data stored and processed on you by companies and other organisations (so-called controllers).
First of all, this includes a confirmation as to whether your personal data is being processed. If so, you can request a copy of said data. But not only that: In addition, you also have the right to further details, such as the purposes of the processing, the recipients to whom the data is passed on and the duration of the storage.
If you want to learn more, have a look at our article about your rights under the GDPR.
How do I exercise this right?
The GDPR does not impose any requirements on how you make your request. This means that you could in principle simply write an informal letter and send it to the controller. In theory, even a phone call would do.
In most cases, however, you should use the written form, if only to be able to prove later that you have actually made a request. And while you could also state informally that you would like access to your data, we advise you to make a more formal request referring to the specific legislation. This ensures that the controller cannot talk their way out of their responsibility.
What does a letter like that have to contain?
Don’t worry, you don’t have to write this letter yourself. We have prepared a sample letter for you to copy and adapt for your purposes.
Here is our sample letter for requests for access according to Art. 15 GDPR. The passages in [square brackets] are optional; you can decide yourself whether you want to include them. You still have to fill in the data in curly braces.
To Whom It May Concern:
I am hereby requesting access according to Article 15 GDPR. Please confirm whether or not you are processing personal data (as defined by Article 4(1) and (2) GDPR) concerning me.
In case you are, I am hereby requesting access to the following information pursuant to Article 15 GDPR:
- all personal data concerning me that you have stored, including any potential pseudonymised data on me as per Article 4(5) GDPR;
- the purposes of the processing;
- the categories of personal data concerned;
- the recipients or categories of recipient to whom the personal data have been or will be disclosed;
- where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
- where the personal data are not collected from the data subject, any available information as to their source;
- the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for me.
In case you are processing anonymised data concerning me, please not only inform me about that but also explain the procedure used in an easily understandable way.
If you are transferring my personal data to a third country or an international organisation, I request to be informed about the appropriate safeguards according to Article 46 GDPR concerning the transfer.
[Please make the personal data concerning me, which I have provided to you, available to me in a structured, commonly used and machine-readable format as laid down in Article 20(1) GDPR.]
My request explicitly includes any other services and companies for which you are the controller as defined by Article 4(7) GDPR.
As laid down in Article 12(3) GDPR, you have to provide the requested information to me without undue delay and in any event within one month of receipt of the request. According to Article 15(3) GDPR, you have to answer this request without cost to me.
I am including the following information necessary to identify me:
Enter your identification data here. This often includes information like your name, your date of birth, your address, your email address and so on.
If you do not answer my request within the stated period, I am reserving the right to take legal action against you and to lodge a complaint with the responsible supervisory authority.
Thank you in advance.
To make your life easier, you can also download the letter and use it directly with the word processor of your choice. You can choose between the following templates:
To whom do I send the letter?
You send the letter directly to the controller. If they have a data protection officer, we recommend that you always address the letter directly to this person. Data protection officers are not only specially trained, but are also required to treat your request confidentially.
Isn’t there an easier way?
The idea behind Datenanfragen.de is to make it as easy as possible for you to exercise your rights regarding data protection. Therefore we have developed a generator, with which you can create requests like this automatically. We invite you to give it a try.
We have made the following changes to this sample letter since the initial publication:
- April 18, 2020: Explain that ‘personal data’ includes pseudonymised data and explicitly request that as well. Mention anonymised data and request to be informed about it. Also request an easily understandable explanation of the procedure used. More consistent style between all templates. (Thanks, Andreas!)