Right to Access

A core data subject right enabling individuals to obtain confirmation of whether their personal data is being processed, access to that data, and information about the processing. Under GDPR Article 15, access requests must include: confirmation of processing, processing purposes, data categories, recipients or recipient categories, retention period or criteria, data subject rights, data sources (if not collected from the subject), existence of automated decision-making including profiling, and safeguards for international transfers. Controllers must provide a copy of the personal data free of charge, with subsequent copies at reasonable administrative costs. Under CCPA/CPRA, this is called the 'right to know' and includes categories and specific pieces of information collected. Organizations must verify identity, search relevant systems, compile responsive data, redact third-party information if needed, and respond within legal timeframes. Access requests often trigger compliance reviews, as they expose what data organizations actually hold and how they're using it.