Article 15 of the General Data Protection Regulation—embedded in Dutch law through the Algemene Verordening Gegevensbescherming (AVG)—gives every person the unambiguous right to discover whether an organization processes their personal data, to obtain a copy, and to see the surrounding context such as purposes, recipients, and retention periods. This right is the backbone of transparency and accountability: it lets individuals check what is held about them and forces companies to keep their data practices clean, documented, and defensible.
Whether you are requesting your own HR file or preparing to answer a customer’s subject-access request, knowing the exact scope and limits of Article 15 cuts the risk of fines, disputes, and reputational damage. In the pages that follow we translate the legal text into plain English, walk data subjects through a step-by-step request template, guide controllers on timelines, fees, and redaction duties, flag the Dutch-specific rules the Autoriteit Persoonsgegevens enforces, and close with practical checklists for both sides.
Decoding Article 15 AVG in Plain English
“The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data…” — Article 15(1) GDPR
In plain language: you may ask any organization “Do you store data about me? If yes, show me what, why, with whom you share it, and how long you keep it.” That is the essence of the right of access under the GDPR; the scope of Article 15 of the AVG in the Netherlands is identical because the Dutch Uitvoeringswet AVG merely localizes enforcement without changing the substance.
When you file a request, you are entitled to eight concrete items:
- Confirmation of processing
- A copy of the personal data
- The processing purposes
- Data categories involved
- Recipients or recipient categories
- Planned storage period or the criteria to determine it
- Other GDPR rights you can exercise
- Safeguards for any transfers outside the EEA
The right is personal—only the data subject (or a valid representative) can invoke it—and it is absolute as to receiving your own data. Controllers may, however, trim or refuse access when other fundamental rights (trade secrets, privacy of third parties) would be harmed.
Legal Text vs. Layman’s Terms
| Article 15 clause | What it really means |
|---|---|
| 15(1) confirmation | Ask “yes/no” if they process your data. |
| 15(1) access | Get the actual data plus context. |
| 15(1)(c) recipients | Learn who sees or gets the data, inside or outside the firm. |
| 15(2) third-country transfers | Find out about data sent outside the EEA and the protections used. |
| 15(3) copy | Receive the information in a reusable digital format, free of charge. |
Key Takeaways at a Glance
- How long may a controller take? One month, extendable to three for complex cases.
- Can they charge me? No, unless the request is “manifestly unfounded or excessive.”
- In what format will I receive the data? Secure electronic file (e.g., PDF or CSV) unless you ask otherwise.
- Must I use a special form? No; email, letter, or even a phone call counts.
- What if they hold nothing on me? They must say so in writing within the same deadline.
Who Can Exercise the Right and Towards Whom?
Under Article 4(1) GDPR a data subject is any living, identifiable natural person—whether customer, employee, patient, or minor pupil. Each of them can invoke the right of access under the GDPR: the scope of Article 15 of the AVG does not discriminate by age, nationality, or residence. Requests must be addressed to the controller: the party that decides why and how the data are processed. A cloud provider or payroll bureau that merely stores the data is a processor; it must pass the request to the controller but cannot refuse direct instruction.
Dutch residents may also aim their request at a foreign company that targets the Dutch market (e.g., an Irish-based social network). The one-month clock starts the moment that controller receives the request, regardless of where its servers live.
Special Situations: Representatives, Deceased Persons, Parents and Guardians
- Minors and incapacitated adults: a parent, guardian, or curator may act on their behalf under Book 1 of the Dutch Civil Code.
- Schools and employers: pupils and employees themselves can file a Subject Access Request (SAR); representatives are optional, not required.
- Deceased persons fall outside GDPR, yet doctors, notaries, and insurers must still honor professional-secrecy rules before disclosing related files.
Controllers’ Joint Responsibility in Shared Systems
When two or more organizations jointly determine the purposes or means of processing (Article 26 GDPR)—for instance, an employer and its HR-software vendor—they are joint controllers. They must transparently agree who answers Article 15 requests, and inform the data subject, but each remains liable if the other drops the ball.
What Must Be Disclosed: Data and Supplementary Information
When you invoke the right of access under the GDPR, the scope of Article 15 of the AVG obliges the controller to hand over two things: the actual personal data and a package of contextual details. Think of it as receiving both the photo and its caption. The legislation breaks the disclosure duty into eight buckets, listed below.
| Art. 15(1) item | What you should receive |
|---|---|
| (a) Confirmation | A clear yes/no whether your data is processed |
| (b) Purposes | The reasons the data exist (e.g., payroll, marketing) |
| (c) Categories | Types such as contact details, purchase history, GPS logs |
| (d) Recipients | Internal teams and external partners or processors |
| (e) Retention | Exact period or criteria (e.g., “7 years for tax law”) |
| (f) Rights | Reminder you may rectify, erase, restrict, object, complain |
| (g) Source | Where the data came from if not collected from you |
| (h) Transfers | Safeguards for any shipment outside the EEA |
Personal data is more than name and number. It covers behavioural profiles, inferred credit scores, CCTV footage, voice recordings, device IDs, and even seemingly dull metadata such as log-in timestamps—anything that can be tied, directly or indirectly, to an identifiable person.
“Copy of the Personal Data” Explained
A copy means an intelligible reproduction, not the original paper file. Expect:
- A PDF of your payroll record
- CSV export of CRM notes
- ZIP with audio files of support calls
If you emailed the request, the default delivery should also be electronic and in a “commonly used” format unless you ask for paper.
Personal Data vs. Documents: Where to Draw the Line
Controllers must extract only the snippets that relate to you. For example, in a meeting memo containing several employees, your spoken remarks can be disclosed while colleagues’ comments are redacted. Conversely, a signed employment contract is disclosed in full because every clause concerns you.
Mandatory Supplementary Information
Beyond the data copy, the controller must explain: purposes, categories, recipients, retention, available rights, data sources, logic behind automated decisions (if any), and transfer safeguards. Keep an eye on vague answers—“for business purposes” or “stored as long as necessary” are unlikely to satisfy the Autoriteit Persoonsgegevens. Comprehensive, plain-language explanations are the best shield against complaints and fines.
How to Submit and Handle a Subject Access Request (SAR) in the Netherlands
A Subject Access Request can be made any way the data subject likes—by phone, email, letter, social-media DM, or even a chat bot. Article 12 GDPR forbids controllers from demanding a specific form, so “I want a copy of all personal data you hold about me” is enough to start the clock. Best practice, however, is to lodge a written record so both sides can track deadlines. Once the request lands, the controller must immediately (1) acknowledge receipt, and (2) diary the one-month response period. Silence or delay after that first month risks an Autoriteit Persoonsgegevens (AP) complaint and potential fines.
Below is a concise, bilingual template data subjects can copy-paste; no legal jargon required.
Subject: Subject Access Request – Article 15 GDPR/AVG
Dear [Controller],
I hereby request, under Article 15 GDPR/AVG, confirmation of whether you process my personal data.
If so, please provide a copy and the supplementary information listed in Article 15(1)(a-h).
Kind regards,
[Name] | [Email] | [Any reference number]
---
Onderwerp: Verzoek om inzage – Artikel 15 AVG/GDPR
Geachte [Verwerkingsverantwoordelijke],
Ik verzoek u op grond van artikel 15 AVG om bevestiging of u mijn persoonsgegevens verwerkt.
Indien dit het geval is, ontvang ik graag een kopie en de aanvullende informatie zoals genoemd in artikel 15 lid 1 onder a-h.
Met vriendelijke groet,
[Naam] | [E-mail] | [Eventuele referentie]
Controllers should create a simple intake workflow—[email protected] mailbox, ticket number, automated confirmation—to prove compliance later.
Identity Verification Without Over-Collecting
The controller must be “reasonable” in checking who is asking without grabbing more data than it needs. The AP recommends:
- Match request details with existing account data (username, client ID) wherever possible.
- If extra proof is unavoidable, request a redacted passport or driving-license scan with the BSN, photo, and MRZ blacked out.
- Never keep copies longer than required for verification; log the fact of the check, then delete the file.
Logging and Record-Keeping for Accountability
A basic SAR log keeps regulators—and your DPO—happy. Record:
- Date received and channel (email, call, etc.)
- Identity-verification steps taken
- Scope of data located
- Internal teams involved
- Date and method of reply + any extensions claimed
- Summary of information provided or reasons for refusal
Maintaining this register supports the Article 5 “accountability” principle and gives a ready-made audit trail if the AP knocks on your door.
Controllers’ Timelines, Fees, and Delivery Formats
When the clock starts, controllers have one month to answer a subject-access request. They may extend once by up to two additional months, but only for complex or numerous requests and they must explain the delay within the first month. If no personal data is held, the controller must still reply within the same deadline and say so explicitly.
Article 12(5) sets a zero-fee rule: access is free. A charge is allowed only when a demand is “manifestly unfounded or excessive”—think of an employee asking for identical copies every week, or a spammer requesting data on hundreds of fake profiles.
Delivery must be in a “commonly used” secure format. A quick comparison:
| Format | Pros | Cons |
|---|---|---|
| Encrypted PDF | Readable; easy redaction | Weak passwords possible |
| CSV export | Machine-readable; small size | Harder for laypersons |
| Secure portal | 2FA and audit trail | Costly to maintain |
Whichever route is chosen, controllers should honor reasonable preferences and avoid proprietary lock-in.
Secure Transmission and Data Minimization
Never send unprotected spreadsheets by email. Use password-protected files (share the key separately), HTTPS portals with two-factor authentication, or registered mail for paper bundles. Before transmission, scrub third-party data with redaction software and remove surplus fields. This meets Article 5(1)(c) minimization while shielding co-workers, trade secrets, and bystanders.
Legitimate Grounds to Restrict or Refuse Access
Article 15 is powerful, yet not limitless. Paragraph 4 and Recital 63 make clear that a controller may trim or even refuse disclosure when handing over the information would collide with other fundamental rights or be plainly unreasonable. The burden of proof sits with the controller: you must document why full access would undermine those competing interests and how you mitigated the impact (e.g., partial redaction).
Protecting Third-Party Privacy
Disclosing an email chain that also names colleagues or customers can reveal their personal data. Dutch case law (Rb. Midden-Nederland, ECLI:NL:RBMNE:2023:1204) confirms that controllers may blank out or summarise third-party identifiers, provided the requester still understands the context. Techniques:
- Black-line names and phone numbers
- Replace with neutral terms (“another employee”)
- Supply extracts instead of the whole file
Trade Secrets, Intellectual Property, and Copyright
Companies need not open their algorithmic kimono. If revealing source code, pricing formulas, or copyrighted material would expose confidential know-how, Article 15(4) allows a calibrated response. Typical workaround: describe the logic of an automated decision in plain English, not the full code; give excerpts of a contract schedule, not the proprietary template. Always explain why deeper disclosure would harm commercial interests.
Preventing Abuse of Rights
A request is manifestly unfounded or excessive when it is repetitive, harassing, or deliberately burdensome—think weekly copy-paste SARs after full data was already delivered. Controllers may then:
- Charge a “reasonable fee” reflecting administrative cost, or
- Refuse to act altogether.
Either way, you must justify the stance in writing and inform the data subject of their right to complain to the Autoriteit Persoonsgegevens.
Seeking Redress: Complaints and Litigation in the Netherlands
When a controller misses the mark, data subjects have quick, escalating options to enforce the right of access under the GDPR (the scope of Article 15 of the AVG).
- Internal nudge. Send a dated reminder referencing Article 15 and the elapsed deadline; most organizations comply once prompted.
- Autoriteit Persoonsgegevens complaint. File online. The AP can order disclosure, impose daily penalty payments, or levy administrative fines. Simple cases often close within three months.
- Civil court action. Under Article 82 GDPR Dutch courts may grant injunctions and award compensation. Recent rulings have granted €250–€2 500 for distress, with fast-track kort geding relief available for urgent employment rows.
Cross-Border Cooperation and the One-Stop-Shop
A Dutch resident may still complain to the AP even if the controller’s EU headquarters sits elsewhere. The AP forwards the file via the GDPR One-Stop-Shop, and the European Data Protection Board can break any regulatory deadlock—so geography is no barrier to getting your data.
Compliance Blueprint for Organizations
A tidy SAR process starts long before the first request arrives. Build these essentials and 90 % of access headaches disappear:
- Publish a short, plain-English SAR policy and point staff to it.
- Keep your Records of Processing Activities (RoPA) up to date—so you know where data lives.
- Map retention periods and deletion triggers; stale data is data you never need to hand over.
- Maintain a step-by-step redaction workflow with dual-control review.
- Log every request, decision, and deadline for Article 5 accountability.
- Run annual tabletop drills to test speed, clarity, and chain of command.
Train front-office, HR, and IT on spotting and triaging verbal requests; one missed phone call can start the penalty clock.
Automation and Tools
Use data-discovery software, ID-verification APIs, and secure download portals to find, package, and transmit data quickly—always leaving room for human sense-checking and context.
Integration with Other Data Subject Rights
Design the SAR workflow to branch into rectification, erasure, or portability actions; one coherent pipeline avoids duplicate searches and inconsistent answers.
Empowering Data Subjects: Practical Tips for Effective Requests
A clear, well-scoped SAR saves everyone time and makes it harder for the controller to stall. Try these tactics:
- Pinpoint what you want: “All e-mails between me and manager Jansen from 1 Jan – 31 Mar 2024.”
- Mention where it sits: “HR system and help-desk tickets.”
- State your preferred format (CSV, PDF) and secure channel.
- Flag urgency when relevant (“upcoming performance review on 15 Oct”).
Once the data lands, scan for errors or gaps and immediately fire off a rectification or erasure request—riding the same evidence trail keeps momentum.
Escalation Strategy if Ignored
Day 31 and still radio silence? Keep it polite but firm:
Subject: Reminder – Article 15 GDPR/AVG request overdue
Dear [Controller],
On [date] I requested access to my personal data. The one-month term has passed without a response.
Please provide the information within seven days or explain the lawful basis for any refusal.
Failing that, I will file a complaint with the Autoriteit Persoonsgegevens and consider civil action.
Regards,
[Name]
Document every step (dates, emails, phone logs). If the extra week expires, lodge an online complaint with the AP and attach your evidence bundle; courts and regulators favor well-organized claimants.
Wrapping Up Your Right of Access
Article 15 GDPR/AVG puts individuals in the driver’s seat: you can ask, see, and challenge what an organization does with your data. For controllers, clear procedures, tidy records, and sensible redactions are not optional—they are the only way to hit the one-month deadline and dodge the Autoriteit Persoonsgegevens’ glare.
Remember the basic playbook:
- request can be informal,
- response must be free, timely, and complete,
- limits are narrow and must be justified,
- partial disclosure beats blanket refusal.
Follow those rules and the right of access becomes a routine compliance task instead of a courtroom headache.
Need a tailor-made SAR template, help untangling third-party data, or strategy for a stubborn controller? The privacy attorneys at Law & More are ready to step in—whether you’re a data subject seeking answers or a company seeking certainty.