Right of access
People have a right of access to the personal data that organisations process of them. This right is intended to give people more grip on their personal data. They can also use this right to check whether organisations abide by the rules when processing their data.
If an organisation uses your personal data, you may ask the organisation which data it concerns. And how the organisation processes your data. This is called the right of access. This right is intended to give people more control over their personal data. They can also use this right to check whether organisations adhere to the rules when processing their personal data.
On this page
On this page you can read how you can request access from an organisation. And what you can expect from the organisation when you request access.
Access in 5 steps
Are you asking an organisation for access to your personal data? Then there are 5 steps that you and the organisation must go through. Below you can read which steps these are. On this page you can also read more about what these steps exactly entail.
- This is how you request access: you send your request to the organisation by e-mail or letter.
- Does the organisation have a question about your request? Then the organisation will contact you.
- The organisation must check whether you are who you say you are. So that your personal data does not unintentionally go to the wrong person.
- The organisation must respond to your request within 1 month. The organisation will then let you know whether you receive the requested information. Or that the organisation refuses (part of) your request and why.
- You will have access to your personal data. Unless the organisation has refused your request.
If you have been given access to your data, you can use your other privacy rights. You may, for example, ask the organisation for rectification of your data if these are incorrect. Or for removal of your data, for example if the organisation uses them contrary to the law.
1. This is how you ask for access
Send an email or a letter to the organisation from which you want access. You can use the access model letter of the Dutch Data Protection Authority for your request.
Making your request in writing, and therefore by letter or email, is useful for obtaining evidence. Because if the organisation does not respond to your request, or the organisation refuses your request, you can demonstrate which steps you have taken. This is necessary if you want to submit a complaint to the Dutch Data Protection Authority (Dutch DPA) or if you want to go to court.
Which personal data?
You are in principle entitled to access to all of your personal data. You do not have to indicate which personal data you want access to. You also do not have to say why you want access.
The organisation is not allowed to be secretive about which data it has of you, where the data come from, and what happens with them.
But the organisation may have a lot of information about you. The organisation may then contact you to ask what exactly you want access to. But you are not obliged to answer that.
Access to your data is free of charge
The organisation is not allowed to ask for money if you want access to your data. Unless you ask for extra copies. In that case, the organisation may charge a reasonable fee.
2. Organisation has a question
The organisation may have a question about your request. For example because:
- Something is not clear.
- The organisation has a lot of information about you. And therefore wants to know whether you really want to receive all of that.
If the organisation has a question, it will contact you.
3. Organisation has to verify your identity
Before processing your request, the organisation has to verify your identity. This is for the protection of your privacy, to prevent someone else from gaining access to your data.
4. Organisation has to respond within 1 month
The organisation is obliged to respond to your request by letter or email within 1 month. Is your request complicated? Or did you send multiple requests to the same organisation? Then the organisation may take 2 more months to respond. In that case, the organisation will have to let you know the reason for this delay and that a response will take longer within 1 month.
In the response, the organisation has to inform you whether it will honour your request. And if so, what exactly the organisation is going to do.
Read what you can do if the organisation does not respond or does not respond in time
5. This is what you receive if you are given access
The personal data that you receive from the organisation have to enable you to check if your data are correct and if the organisation processes your data correctly. That is why the organisation has to give you a copy of your personal data.
Copy of your data
There are 2 ways in which the organisation can give you a copy of your personal data:
- By making copies of all documents in which your personal data can be found.
- By only copying your personal data instead of the entire documents. And by compiling these data in a complete overview then.
The organisation is obliged to do it the first way if you really need the documents themselves for a good understanding of the context in which your personal data have been processed.
The second way is only permitted if an overview is enough for you to be able to check which personal data the organisation processes of you, if these data are correct, and if the organisation processes the data correctly.
Usually, an overview will be enough. In that case, the entire documents are not necessary.
Information about the use of your personal data
The organisation also has to give you information about the use of your personal data. The organisation has to let you know:
- For which purpose the organisation uses your data.
- Which types of data the organisation uses.
- Which organisations or type of organisations, if any, receive your data.
- Whether the organisation transfers your data to countries outside the EEA or to international organisations. And if so, which measures the organisation takes for handling your personal data with due care.
- For how long the organisation retains your personal data. Is the organisation unable to indicate this precisely? Then the organisation will in any case have to make clear how the organisation determines the retention period.
- What your privacy rights are. And that you have the right to submit a complaint to the Dutch Data Protection Authority.
- How the organisation has obtained your data, if you have not passed them on to the organisation yourself.
- Whether the organisation takes automated decisions about people, including profiling. And if so, why the organisation does this, based on what logic, and which consequences this may have for you.
Organisation does not respond or does not respond in time
Did you not receive a response from the organisation within 1 month? Then you can contact the Data Protection Officer (DPO) or the privacy officer of the organisation, if the organisation has one. You can find the contact details of this person in the privacy statement on the organisation's website.
Does this person not respond either? Or are you not satisfied with the response? What you can subsequently do depends on whether it concerns a business or a governmental organisation.
Business
You can submit a complaint to the Dutch DPA. Or initiate application proceedings with the court.
Governmental organisation
You can submit a complaint to the Dutch DPA. Or give the governmental organisation notice of default because of failure to decide in time. Do you not receive a decision within 2 weeks after giving notice of default? Then you can lodge an appeal because of failure to decide in time with the administrative court.
Organisation refuses access
The organisation may refuse access to part of your data. For example, to block information in your file that is about someone else. Is it expected that someone else may object to you being given access? Then the organisation will have to ask that person's opinion first. And then decide whether you will be given access.
Does the organisation refuse your request for access? Then the organisation will have to let you know why. Do you disagree with the refusal of your request? Then you can submit a complaint to the Dutch DPA. Or you can initiate application proceedings with the court, if it concerns a business. Does it concern a governmental organisation? Then you can lodge an objection with the governmental organisation.
Also view
Where can I find it in the GDPR?
More information
Example letter
Would you like to exercise your right of access? Our example letter will make it easier for you to contact organisations.