Right of access

On this page you can read how you can request access from an organisation. And what you can expect from the organisation when you request access.

Access in 5 steps

Are you asking an organisation for access to your personal data? Then there are 5 steps that you and the organisation must go through. Below you can read which steps these are. On this page you can also read more about what these steps exactly entail.

1. This is how you request access: you send your request to the organisation by e-mail or letter.
2. Does the organisation have a question about your request? Then the organisation will contact you.
3. The organisation must check whether you are who you say you are. So that your personal data does not unintentionally go to the wrong person.
4. The organisation must respond to your request within 1 month. The organisation will then let you know whether you receive the requested information. Or that the organisation refuses (part of) your request and why.
5. You will have access to your personal data. Unless the organisation has refused your request.

If you have been given access to your data, you can use your other privacy rights. You may, for example, ask the organisation for rectification of your data if these are incorrect. Or for removal of your data, for example if the organisation uses them contrary to the law.

1. This is how you ask for access

Send an email or a letter to the organisation from which you want access. You can use the access model letter of the Dutch Data Protection Authority for your request.

Making your request in writing, and therefore by letter or email, is useful for obtaining evidence. Because if the organisation does not respond to your request, or the organisation refuses your request, you can demonstrate which steps you have taken. This is necessary if you want to submit a complaint to the Dutch Data Protection Authority (Dutch DPA) or if you want to go to court.

Which personal data?

You are in principle entitled to access to all of your personal data. You do not have to indicate which personal data you want access to.  You also do not have to say why you want access.

The organisation is not allowed to be secretive about which data it has of you, where the data come from, and what happens with them.

But the organisation may have a lot of information about you. The organisation may then contact you to ask what exactly you want access to. But you are not obliged to answer that.

Access to your data is free of charge

The organisation is not allowed to ask for money if you want access to your data. Unless you ask for extra copies. In that case, the organisation may charge a reasonable fee.

2. Organisation has a question

The organisation may have a question about your request. For example because:

• Something is not clear.
• The organisation has a lot of information about you. And therefore wants to know whether you really want to receive all of that. 

If the organisation has a question, it will contact you.

3. Organisation has to verify your identity

Before processing your request, the organisation has to verify your identity. This is for the protection of your privacy, to prevent someone else from gaining access to your data.

4. Organisation has to respond within 1 month

The organisation is obliged to respond to your request by letter or email within 1 month. Is your request complicated? Or did you send multiple requests to the same organisation? Then the organisation may take 2 more months to respond. In that case, the organisation will have to let you know the reason for this delay and that a response will take longer within 1 month.

In the response, the organisation has to inform you whether it will honour your request. And if so, what exactly the organisation is going to do.

Read what you can do if the organisation does not respond or does not respond in time

5. These are the data that you receive

The purpose of the right of access is that you must be able to check if your personal data are correct. And if the organisation processes your personal data correctly. That means: in the way the law says that it must be done.

The organisation is obliged to give you a copy of your personal data. This does not automatically mean that you receive a copy of all documents that contain your personal data. It concerns a copy of your data, not of the documents. That is why you usually receive a document with your personal data in it.

Overview of your personal data

To compile an overview of your personal data, the organisation copies your personal data from the documents that contain these data. The organisation gathers all personal data in an overview and sends this to you.

Usually, an overview of copied personal data will be sufficient to check if your personal data are correct. And if the organisation processes your personal data correctly.

Example: you receive a copy of your data
You are a customer with a sports club and you want to know which of your data the club has. That is why you ask for access. You receive a document with your name, address, birthdate, information about your membership, payment details, visit details, and whether you are registered for newsletters. With this overview you can easily check if your data are correct and how the sports club uses your data. Without you having to peruse all sorts of documents. The overview is sufficient to see if everything is correct.

Exception: copies of whole documents

Sometimes, the organisation has to send you copies of whole documents instead of an overview with copied personal data. But that is an exception.

This exception applies, for example, if you really need the whole documents to use your privacy rights under the GDPR. Such as your right to rectification and removal of your personal data.

In that case, you have to make clear to the organisation which privacy right you want to use. And why, according to you, this is not possible with only the overview of your copied personal data.

The organisation may also decide to give you whole documents instead of an overview. The organisation is obliged to do this if you cannot properly understand the context in which your personal data were processed if you do not have these documents.

Note: Does the organisation give you whole documents? Then the organisation will have to take the privacy of other people into account. Are there also personal data of others in a document? If so, the organisation will have to remove these personal data from the document or render them illegible.

Which data do you not receive?

You are only given access to personal data for which you can check yourself if they are correct. Because that is what the right of access is intended for. This means that you will not be given access to:

• an opinion, a statement or a personal comment by someone else;
• a professional analysis of your personal data, such as a legal analysis in judicial proceedings or a financial report of a bank.

Information about the use of your personal data

The organisation also has to give you information about the use of your personal data. The organisation has to let you know:

• For which purpose the organisation uses your data.
• Which types of data the organisation uses.
• Which organisations or type of organisations, if any, receive your data.
• Whether the organisation transfers your data to countries outside the EEA or to international organisations. And if so, which measures the organisation takes for handling your personal data with due care.
• For how long the organisation retains your personal data. Is the organisation unable to indicate this precisely? Then the organisation will in any case have to make clear how the organisation determines the retention period.
• What your privacy rights are. And that you have the right to submit a complaint to the Dutch Data Protection Authority.
• How the organisation has obtained your data, if you have not passed them on to the organisation yourself.
• Whether the organisation takes automated decisions about people, including profiling. And if so, why the organisation does this, based on what logic, and which consequences this may have for you.

Organisation does not respond or does not respond in time

Did you not receive a response from the organisation within 1 month? Then you can contact the Data Protection Officer (DPO) or the privacy officer of the organisation, if the organisation has one. You can find the contact details of this person in the privacy statement on the organisation's website.

Does this person not respond either? Or are you not satisfied with the response? What you can subsequently do depends on whether it concerns a business or a governmental organisation.

Business

You can submit a complaint to the Dutch DPA. Or initiate application proceedings with the court.

Governmental organisation

You can submit a complaint to the Dutch DPA. Or give the governmental organisation notice of default because of failure to decide in time. Do you not receive a decision within 2 weeks after giving notice of default? Then you can lodge an appeal because of failure to decide in time with the administrative court.

Organisation refuses access

The organisation may refuse access to part of your data. For example, to block information in your file that is about someone else. Is it expected that someone else may object to you being given access? Then the organisation will have to ask that person's opinion first. And then decide whether you will be given access.

Does the organisation refuse your request for access? Then the organisation will have to let you know why. Do you disagree with the refusal of your request? Then you can submit a complaint to the Dutch DPA. Or you can initiate application proceedings with the court, if it concerns a business. Does it concern a governmental organisation? Then you can lodge an objection with the governmental organisation.