The correct way to handle the right of access under the GDPR

Legal requirements, strategic risks, and best practices for dealing with Article 15 GDPR

The right of access under Article 15 GDPR is one of the key rights of data subjects in data protection law. Originally created to ensure transparency in the processing of personal data, its practical significance has increasingly changed in recent years. Today, companies are faced with a rapidly rising number of strategically motivated subject access requests - often legally challenging and involving considerable organizational effort. The recipients of such requests are therefore increasingly asking themselves: How can we handle subject access requests in a legally compliant, efficient, and strategically smart way?

From a protective right to a strategic lever

In practice, it is evident that the GDPR right of access is no longer used solely to review data processing. Rather, it serves as a tactical tool in various constellations, for example:

• by individuals well-versed in data protection law (“data protection enthusiasts”),
• in the aftermath of data breaches or cyberattacks,
• following scandals covered by the media, or
• specifically in the context of legal disputes, such as in labor or insolvency law.

AI-supported tools and standardized sample letters have significantly lowered the threshold for submitting requests. Thus, the right of access has effectively become a universal right - with significant consequences for companies.

Who is entitled to what - and how far does the right extent?

Even the formal basics are more complex than they appear at first glance:

• Not only the data subject themselves, but also a representative can request access to their personal data.
• Although only the controller is obliged to provide information, the data processor has a duty to assist.
• The right of access covers current data processing.
• The deadline for providing access or copies of data is generally one month but may be extended under certain circumstances.
• Access to the personal data held about individuals is generally provided free of charge, unless the request is manifestly unfounded or excessive.

At this point, it is already clear that errors in classification can quickly lead to missed deadlines, incomplete information, or unnecessary escalations with data protection supervisory authorities.

Excessive, legally abusive - but when exactly?

The distinction between permissible subject access requests and those that can be classified as excessive or legally abusive is particularly contentious. The GDPR itself leaves room for interpretation here, which is further defined by case law and guidelines:

• frequent repetitions,
• deliberately undifferentiated or extremely broad requests, or
• a recognizable misuse of the right of access (e.g., for the purpose of causing harm or “blackmail”).

These factors may justify a restriction or refusal of access under certain circumstances. However, the burden of proof for this lies with the company - a considerable risk, especially without proper documentation and a clear strategy.

Current legislative developments at EU level, such as the EU Commission's Digital Omnibus package of November 19, 2025, indicate a possible strengthening of the defense options for companies in this context, but practical application will continue to be highly dependent on individual cases in the future.

Use case: labor law - access as a means of pressure

In the context of labor law, the GDPR right of access has a special explosive force. Typical problem areas are

• the scope of access to email inboxes, chat histories, or internal memos,
• the handling of confidential assessments, and
• the question of redactions and the protection of third-party rights.

It is not uncommon for the right of access to be used specifically as a means of pressure in dismissal protection proceedings. Although it is possible in principle to waive the right of access – according to the latest case law in the context of a labor law settlement – this requires legal precision and a clear understanding of the data protection framework.

Use case: insolvency law - data volumes, evidentiary function, conflicts

The right of access also raises significant questions in insolvency law. With the transfer of administrative and dispositive rights to the insolvency administrator, the latter generally becomes the data protection controller. This then leads to various practical problems for the insolvency administrator:

• large amounts of data,
• personal data as evidence in ongoing proceedings, and
• rights of access of former board members or opponents in legal proceedings.

This is where it becomes particularly apparent that data protection, litigation strategy, and economic interests are inextricably intertwined and that it is not uncommon for insolvency administrators to receive subject access requests constituting an abuse of the law.

Best practice: Why dealing with GDPR requests of access requires strategic decisions

In practice, the GDPR right of access is often treated as a purely operational data protection issue. In fact, however, it is a highly sensitive process, both legally and strategically, in which early decisions have a significant impact on the further course of events.

Preliminary review: Are there any formal or material points of contention?

Not every request must be fulfilled in its entirety. A careful preliminary review is essential and includes the following questions, among others:

• Is the request sufficiently specific or deliberately formulated in a very broad and undifferentiated manner?
• Are there any indications of excessive or legally abusive use of the right of access?
• Are there any reasons for exclusion that would prevent the disclosure of access?
• To what extent should redactions be made?
• Have the statutory deadlines been correctly set, or are there doubts about the identity or power of representation of the applicant?

Formal deficiencies or uncertainties, if addressed correctly, can not only buy time, but also appropriately limit the scope of access disclosed. Errors made at this stage are difficult to correct later on.

Deadline management: More than just a calendar entry

At first glance, the one-month deadline specified in Art. 12 GDPR seems clear. In practice, however, numerous questions arise:

• Is an extension of the deadline objectively justified and how must it be justified?
• When is a request considered “complex”?
• What are the consequences of an insufficiently communicated or delayed extension?

Professional deadline management is not only a formal obligation, but often crucial for the defense position vis-à-vis data protection supervisory authorities or courts.

Content design: How much is too much?

Probably the most sensitive issue is the scope of access. Companies regularly find themselves caught between:

• their transparency obligations towards the data subject,
• the protection of confidential information, trade secrets,
• rights, and personal data of third parties,
• as well as their own procedural interests.

Issues such as redactions, the disclosure of email content, internal evaluations, or complete data copies are highly controversial from a legal perspective and always depend on the individual case. Providing too much information can have irreversible disadvantages – just as providing too little.

Sender: Own response or response by external legal advisors?

One of the frequently underestimated questions is: Who should respond to a subject access request?

• Internal responses may be appropriate for clearly limited, factually formulated requests without any apparent conflict.
• External responses by lawyers are particularly appropriate if:
• the request is related to labor law, insolvency law, or other contentious proceedings,
• there is evidence of legal abuse or tactical motives,
• confidential information such as trade secrets or third-party rights is involved, or
• subsequent judicial or administrative review appears realistic.

This is not only a matter of legal protection, but also of sending a signal: the applicant will regularly read your response carefully and strategically assess who responds, in what tone, and to what extent.

Tone and communication: factual, defensive, or cooperative?

The tone of the response is also not a minor aspect. Depending on the context, it may be appropriate to use:

• a deliberately neutral and objective style to avoid escalation,
• a clearly structured, legally precise tone to set boundaries,
• or - in certain situations - deliberately cooperative communication to avoid follow-up requests or complaints.

An ill-considered tone can unnecessarily exacerbate requests of access or be interpreted as an invitation for further demands.

Documentation and verifiability

Regardless of the specific approach, every decision must be documentable. In the event of a dispute, the company regularly bears the burden of proof and explanation as to why access to the personal data of an individual was restricted, delayed, or denied. A lack of documentation quickly becomes a risk for the company.

Conclusion: Complex, risky - and always a case-by-case basis

The GDPR right of access is no longer a marginal issue purely related to data protection law. It affects compliance, litigation strategy, HR processes, and corporate communications in equal measure. For companies, this means that every subject access request requires individual assessment, legal sensitivity, and strategic experience. Blanket responses or purely operational solutions are often insufficient.

Precisely because each case is different, practice shows that anyone who attempts to handle subject access requests exclusively internally and schematically runs the risk of becoming legally vulnerable or suffering unnecessary strategic disadvantages.