GDPR Client Access Request: How to Respond On Time
A client asks for a copy of their data? You have exactly 1 month to respond — otherwise you risk a CNIL complaint. This guide describes the 6 GDPR rights, the recommended procedure, what you must provide and how to handle legal refusal cases.
The 6 GDPR rights of data subjects
The GDPR grants data subjects six fundamental rights (Articles 15 to 22). As a data controller, you are required to respond to any exercise of these rights, within the prescribed deadlines and forms.
Right of access (Art. 15)
Obtain a copy of data held and information about the processing.
Right to rectification (Art. 16)
Correct inaccurate or incomplete data.
Right to erasure (Art. 17)
Obtain deletion of data under certain conditions.
Right to restriction (Art. 18)
Suspend processing without deleting data (dispute, litigation).
Right to portability (Art. 20)
Receive data in a structured, machine-readable format.
Right to object (Art. 21)
Object to processing based on legitimate interest or for prospecting purposes.
Legal deadlines: 1 month, extendable 2 months
The deadline rule (Article 12§3 GDPR)
- Standard deadline : 1 month from receipt of the complete request.
- Possible extension : 2 additional months if the request is complex or numerous. Extension information must be sent within the first month.
- Identity verification : You may request additional information to verify identity. The deadline is suspended until receipt.
Recommended procedure in 5 steps
- Immediate acknowledgment of receipt (D+1 to D+3) — Confirm receipt of the request by email, indicate the response deadline (1 month) and if necessary request ID for verification.
- Identity verification (if in doubt) — Request only strictly necessary information. Do not systematically request a copy of ID (disproportionate).
- Data collection across all systems (D+5 to D+15) — CRM, email, billing, logs, database, third-party tools. Document the list of systems consulted.
- Drafting and sending the response (before D+30) — Response in the same channel as the request (email if request by email), readable format, data in attachment or in the email body depending on volume.
- Archiving the response (proof of compliance) — Keep a record of the request, your response and the date. In case of CNIL audit, this is your compliance proof.
Does your site facilitate GDPR rights exercise?
RGPDScan verifies the presence of a GDPR contact form, your DPO's accessibility and your privacy policy compliance.
What you must provide for the right of access
Article 15 GDPR is precise about the response content. You must provide a copy of the data and the following information:
- Processing purposes (why you process this data)
- Categories of data concerned (contact details, health data, etc.)
- Recipients or categories of recipients (who has access)
- Expected retention period or criteria to determine it
- Existence of right to rectification, erasure, restriction, objection
- Right to lodge a complaint with CNIL (with contact details)
- Data source if not collected from the person
- Existence of automated decision-making (profiling) and the logic used
Legal refusal cases
You can legally refuse or limit a response in the following cases:
Manifestly unfounded or excessive request
Notably if the same person makes the same request repetitively without reason. You must document and be able to prove this excessive nature.
Infringement on a third party's rights
If the requested data contains personal data of other individuals whose communication would violate their rights. In this case, you can provide data partially (anonymizing third parties).
Legal confidentiality obligations
Professional secrecy (lawyer, doctor), national defense secrecy, trade secrets, ongoing judicial investigation. Legal basis for confidentiality takes precedence over access right.
Template response for right of access
Sanctions for non-response
1. Complaint from the data subject to CNIL. 2. CNIL notifies the company and may issue a formal notice. 3. Non-compliance with the formal notice: sanction up to €20M or 4% of global revenue. Formal notices have been issued in health, insurance and banking sectors for missed deadlines.
Going further
- GDPR compliance checklist 2026
- CNIL Fines 2026: all documented sanctions
- GDPR for SMEs: complete obligations
- Tools to manage rights exercise requests
- Newsletter and GDPR: legal bases and subscriber rights