GDPR Article 15: Right of Access — Control Implementation Guide
Data subjects have a fundamental right to know what personal data you hold about them and how you're processing it. GDPR Article 15 requires you to respond to access requests within 30 days with a complete copy of their data. This control ensures you have documented processes to capture, verify, and fulfill these requests consistently.
What this means
The right of access gives data subjects the ability to request confirmation of whether their personal data is being processed, and if so, to receive a copy along with supplementary information about processing purposes, recipients, retention periods, and their other rights. You must respond within one calendar month of receipt. Only in cases of complex or numerous requests may you extend the deadline to three months, provided you inform the requester within the first month with justification.
How to comply
- 1.Establish a documented data access request process that captures requests through multiple channels (email, web form, support portal)
- 2.Create a verification mechanism to confirm requester identity before disclosing personal data
- 3.Implement a centralized intake and tracking system to log all requests with receipt dates and response deadlines
- 4.Document data mapping across systems to enable rapid retrieval of all personal data held on an individual
- 5.Define roles and responsibilities for request handling, data compilation, and quality review
- 6.Set a response timeline targeting 20-25 days to allow buffer before the 30-day deadline
- 7.Prepare standard templates for common supplementary information (processing purposes, legal basis, recipients, retention logic)
- 8.Establish escalation procedures for requests flagged as complex, with documented justification for any 3-month extension
- 9.Maintain audit logs of all access requests, responses, and dates to demonstrate compliance
Evidence auditors look for
- Data access request policy and procedures documentation
- Request intake forms showing evidence of received requests with timestamps
- Identity verification logs confirming data subject validation before disclosure
- Data retrieval records and system queries used to compile personal data
- Response letters or data packages sent to data subjects with supplementary information
- Audit logs showing request dates, response dates, and compliance with 30-day (or justified 3-month) deadline
- Templates for standard responses and supplementary information disclosures
- Escalation records documenting requests extended beyond 30 days with written justification
- Training records for staff handling access requests
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates data subject request tracking and deadline management, logs identity verification steps, and generates compliant response packages with supplementary information—eliminating manual spreadsheets and missed 30-day deadlines.
See how GRCWatch handles this control automatically
Start free trial