Right of access

People have a right of access to the personal data that organisations process of them. This right is intended to give people more grip on their personal data. They can also use this right to check whether organisations abide by the rules when processing their data.

Does someone ask an organisation for access? Then the organisation is not allowed to be secretive about which data it has of this person, where the data come from, and what happens with them.

If people have been given access to their data, they can use their other privacy rights. They may, for example, ask an organisation for rectification of their data if these are incorrect. Or for removal of data, for example if the organisation uses them contrary to the law.

On this page

Determine what you want access to

Do you want to ask an organisation for access? Then you are in principle entitled to access to all your personal data. But this can be an awful lot of data. It includes, for example:

  • personal data from emails;
  • any recorded telephone conversations;
  • any correspondence that the organisation had about you with other organisations.

Ask yourself, therefore, for what purpose exactly you want access. For example:

  • You want to check if the organisation has not recorded an unnecessary amount of personal data in your personal file.
  • You only want more information about what the organisation does with your personal data.

This is how you ask for access

Send an email or a letter to the organisation from which you want access. You can use the access example letter of the Dutch Data Protection Authority for your request.

Indicate in your email or letter which personal data you want access to. Does an organisation have a whole lot of data about you? And did you not indicate yourself which data you want access to? Then the organisation may contact you to ask what exactly you want access to.

Written request for access

Making your request in writing, and therefore by letter or email, is useful for obtaining evidence. Because if the organisation does not respond to your request, or the organisation refuses your request, you can demonstrate which steps you have taken. This is necessary if you want to submit a complaint to the Dutch Data Protection Authority (Dutch DPA) or if you want to go to court.

Organisation has to verify your identity

Before processing your request, the organisation has to verify your identity. This is for the protection of your privacy. To prevent someone else from gaining access to your data.

Organisation has to respond within 1 month

The organisation is obliged to respond to your request by letter or email within 1 month. Is your request complicated? Or did you send multiple requests to the same organisation? Then the organisation may take 2 more months to respond. In that case, the organisation will have to let you know the reason for this delay and that a response will take longer within 1 month.

In the response, the organisation has to inform you whether it will honour your request. And if so, what exactly the organisation is going to do.

Organisation does not respond or does not respond in time

Did you not receive a response from the organisation within 1 month? Then you can contact the Data Protection Officer (DPO) or the privacy officer of the organisation, if the organisation has one. You can find the contact details of this person in the privacy statement on the organisation's website.

Does this person not respond either? Or are you not satisfied with the response? What you can subsequently do depends on whether it concerns a business or a governmental organisation.

Business

You can submit a complaint to the Dutch DPA. Or initiate application proceedings with the court.

Governmental organisation

You can submit a complaint to the Dutch DPA. Or give the governmental organisation notice of default because of failure to decide in time. Do you not receive a decision within 2 weeks after giving notice of default? Then you can lodge an appeal because of failure to decide in time with the administrative court.

Organisation refuses access

The organisation may refuse access to part of your data. For example, to block information in your file that is about someone else. Is it expected that someone else may object to you being given access? Then the organisation will have to ask that person's opinion first. And then decide whether you will be given access.

Does the organisation refuse your request for access? Then the organisation will have to let you know why. Do you disagree with the refusal of your request? Then you can submit a complaint to the Dutch DPA. Or you can initiate application proceedings with the court, if it concerns a business. Does it concern a governmental organisation? Then you can lodge an objection with the governmental organisation.

This is what you receive if you are given access

The personal data that you receive from the organisation have to enable you to check if your data are correct and if the organisation processes your data correctly. That is why the organisation has to give you a copy of your personal data.

Copy of your data
There are 2 ways in which the organisation can give you a copy of your personal data:

  1. By making copies of all documents in which your personal data can be found.
  2. By only copying your personal data instead of the entire documents. And by compiling these data in a complete overview then.

The organisation is obliged to do it the first way if you really need the documents themselves for a good understanding of the context in which your personal data have been processed.

The second way is only permitted if an overview is enough for you to be able to check which personal data the organisation processes of you, if these data are correct, and if the organisation processes the data correctly.

Usually, an overview will be enough. In that case, the entire documents are not necessary.

Information about the use of your personal data
The organisation also has to give you information about the use of your personal data. The organisation has to let you know:

  • For which purpose the organisation uses your data.
  • Which types of data the organisation uses.
  • Which organisations or type of organisations, if any, receive your data.
  • Whether the organisation transfers your data to countries outside the EEA or to international organisations. And if so, which measures the organisation takes for handling your personal data with due care.
  • For how long the organisation retains your personal data. Is the organisation unable to indicate this precisely? Then the organisation will in any case have to make clear how the organisation determines the retention period.
  • What your privacy rights are. And that you have the right to submit a complaint to the Dutch Data Protection Authority.
  • How the organisation has obtained your data, if you have not passed them on to the organisation yourself.
  • Whether the organisation takes automated decisions about people, including profiling. And if so, why the organisation does this, based on what logic, and which consequences this may have for you.

Access to your data is free of charge
The organisation is not allowed to ask for money if you want access to your data. Unless you ask for extra copies. In that case, the organisation may charge a reasonable fee.

For organisations: right of access in practice
Do you, as an organisation, receive a request for access? Take a look at: For organisations: privacy rights in practice to see what you have to do to handle the request in accordance with the rules (among other things: verify the requester's identity, reply period). In addition, these particulars apply for the right of access in the following situations:

  • lack of clarity about which data someone wants access to;
  • provision of a copy of personal data;
  • giving information about access to personal data;
  • giving information about the processing;
  • charging costs for extra copies.

Lack of clarity about which data someone wants access to
Is it not clear to which personal data someone wants access? And does it concern a lot of data? Then contact this requester to ask what exactly this person wants access to. Always confirm in writing what you have discussed. For the avoidance of misunderstandings.

Provision of a copy of personal data
Provide a copy of the personal data that someone wants access to. How you have to do this depends on the situation. There are 2 ways:

  1. copying the documents;
  2. compiling a complete overview.

1. Copying the documents
You may be obliged to make a copy of all documents in which the requested personal data can be found. You are obliged to do this if the documents are indispensable for the requester for a good understanding of the context in which you have processed the personal data. Pay attention that you do not accidentally share the personal data of others in the process.


2. Compiling a complete overview
Usually, complete documents are not necessary for the requester to check which personal data you process of this person, if those data are correct, and if you process the data correctly. If that is the case, you are permitted to compile a complete overview.

In this overview you copy all personal data you process of someone, unless agreed otherwise with that person. That it must be a complete overview means that some personal data may be in the overview more than once. For example: if you have recorded someone's address in more than one location. See the Access to personal data example overview.

To inform the person in question properly, it may also be necessary that you give information about the type of document in which the personal data can be found. For example, by indicating that the personal data occurs in an email or by mentioning a file name.

Giving information about access to personal data
People also have the right to know who within your organisation has had access to their data. So if someone who makes a request for access to you asks about this, you provide an overview of (categories of) employees who have had access. You compile this overview on the basis of your logfiles.

Giving information about the processing
In addition to a copy of the personal data, you also have to give information about the processing if some makes a request for access.

Charging costs for extra copies
If the requester wants extra copies, you are allowed to charge a reasonable fee for them.