Procedure 10 min read·

GDPR Client Access Request: How to Respond On Time

A client asks for a copy of their data? You have exactly 1 month to respond — otherwise you risk a CNIL complaint. This guide describes the 6 GDPR rights, the recommended procedure, what you must provide and how to handle legal refusal cases.

The 6 GDPR rights of data subjects

The GDPR grants data subjects six fundamental rights (Articles 15 to 22). As a data controller, you are required to respond to any exercise of these rights, within the prescribed deadlines and forms.

Right of access (Art. 15)

Obtain a copy of data held and information about the processing.

Right to rectification (Art. 16)

Correct inaccurate or incomplete data.

Right to erasure (Art. 17)

Obtain deletion of data under certain conditions.

Right to restriction (Art. 18)

Suspend processing without deleting data (dispute, litigation).

Right to portability (Art. 20)

Receive data in a structured, machine-readable format.

Right to object (Art. 21)

Object to processing based on legitimate interest or for prospecting purposes.

Legal deadlines: 1 month, extendable 2 months

The deadline rule (Article 12§3 GDPR)

  • Standard deadline : 1 month from receipt of the complete request.
  • Possible extension : 2 additional months if the request is complex or numerous. Extension information must be sent within the first month.
  • Identity verification : You may request additional information to verify identity. The deadline is suspended until receipt.

Recommended procedure in 5 steps

  1. Immediate acknowledgment of receipt (D+1 to D+3) Confirm receipt of the request by email, indicate the response deadline (1 month) and if necessary request ID for verification.
  2. Identity verification (if in doubt) Request only strictly necessary information. Do not systematically request a copy of ID (disproportionate).
  3. Data collection across all systems (D+5 to D+15) CRM, email, billing, logs, database, third-party tools. Document the list of systems consulted.
  4. Drafting and sending the response (before D+30) Response in the same channel as the request (email if request by email), readable format, data in attachment or in the email body depending on volume.
  5. Archiving the response (proof of compliance) Keep a record of the request, your response and the date. In case of CNIL audit, this is your compliance proof.

Does your site facilitate GDPR rights exercise?

RGPDScan verifies the presence of a GDPR contact form, your DPO's accessibility and your privacy policy compliance.

What you must provide for the right of access

Article 15 GDPR is precise about the response content. You must provide a copy of the data and the following information:

  • Processing purposes (why you process this data)
  • Categories of data concerned (contact details, health data, etc.)
  • Recipients or categories of recipients (who has access)
  • Expected retention period or criteria to determine it
  • Existence of right to rectification, erasure, restriction, objection
  • Right to lodge a complaint with CNIL (with contact details)
  • Data source if not collected from the person
  • Existence of automated decision-making (profiling) and the logic used

Legal refusal cases

You can legally refuse or limit a response in the following cases:

Manifestly unfounded or excessive request

Notably if the same person makes the same request repetitively without reason. You must document and be able to prove this excessive nature.

Infringement on a third party's rights

If the requested data contains personal data of other individuals whose communication would violate their rights. In this case, you can provide data partially (anonymizing third parties).

Legal confidentiality obligations

Professional secrecy (lawyer, doctor), national defense secrecy, trade secrets, ongoing judicial investigation. Legal basis for confidentiality takes precedence over access right.

Template response for right of access

Subject: Response to your personal data access request Dear [Name], We have received your right of access request on [date]. After verifying your identity, we hereby communicate the personal data we hold about you: [List or attached file of data] This data is processed for the following purposes: [purposes] Legal basis: [consent / contract / legitimate interest] Retention period: [period] Recipients: [list of recipients] You also have the following rights: rectification, erasure, restriction, portability, objection. To exercise them: [DPO email/form]. For complaints: CNIL, 3 Place de Fontenoy, 75007 Paris, www.cnil.fr Sincerely, [Data Controller]

Sanctions for non-response

Procedure in case of non-response

1. Complaint from the data subject to CNIL. 2. CNIL notifies the company and may issue a formal notice. 3. Non-compliance with the formal notice: sanction up to €20M or 4% of global revenue. Formal notices have been issued in health, insurance and banking sectors for missed deadlines.

Going further

Frequently asked questions

What is the legal deadline to respond to a GDPR access request?
1 month from receipt of the request (Article 12§3 GDPR). This deadline may be extended by 2 additional months in case of numerous or complex requests, provided the requester is informed of the extension and its reasons within the initial 1-month period. The maximum total deadline is therefore 3 months. If in doubt about the requester's identity, you may request additional information, which suspends the deadline.
What must I provide in response to a GDPR access right request?
A copy of all personal data held about the person, plus: processing purposes, data categories, recipients or categories of recipients, expected retention period, existence of other rights (rectification, erasure, restriction, objection, portability), right to lodge a complaint with the supervisory authority, data source if not collected from the person, possible existence of automated decision-making (including profiling).
Can I refuse a GDPR access request?
Yes, in limited cases: if the request is manifestly unfounded or excessive (notably due to its repetitive nature), if the response would prejudice the rights or freedoms of others (third-party data mixed with the requester's data), if legal or regulatory grounds require confidentiality (trade secrets, national defense, ongoing judicial investigation). In case of refusal, you must inform the requester of the reasons and their right of appeal to the CNIL.
Can I charge for responding to a GDPR access request?
No, as a general rule. Article 12§5 GDPR states that information is provided free of charge. Exception: if requests from the same person are manifestly unfounded or excessive, you may require reasonable fees (administrative costs) or refuse to act. You must then be able to demonstrate the unfounded or excessive nature of the request.
How to handle a right to erasure (right to be forgotten) request?
The right to erasure (Article 17 GDPR) applies notably when: data is no longer necessary for the purposes, consent is withdrawn and there is no other legal basis, data was collected in the context of an offer of information society services to a minor. Exceptions: legal obligation to retain, exercise of rights in court, public interest. Response deadline: 1 month.
What sanction is risked for non-response to a GDPR request?
Non-response to a rights exercise request can lead to a complaint to the CNIL. The CNIL may issue a formal notice to respond. Non-compliance with the formal notice: sanction up to €20,000,000 or 4% of global revenue. Formal notices have been issued in France for exceeded deadlines, notably in the health and insurance sectors.

Audit your full GDPR compliance

RGPDScan verifies your privacy policy, legal notices and rights exercise mechanisms on your site.