Right to Access Explained: How to Request and Receive Your Personal Data
Share
This article is part of our Data Subject Rights series, explaining individual rights under NDPA, GDPR, and global data protection laws.
In today’s digital world, personal data is everywhere—from the social media profiles we use daily to the online accounts that store our financial details. But who controls this data? And how can you find out what organizations know about you?
The Right to Access empowers you to ask organizations what personal data they hold about you, why they process it, and how they use it. Enshrined in modern privacy laws like the Nigeria Data Protection Act (NDPA) and the EU’s General Data Protection Regulation (GDPR), this right is foundational to privacy and control.
step‑by‑step through understanding your right of access, how to make a request, what to expect in responses, timelines, real‑world examples, and best practices.
What Is the Right to Access?
At its core, the Right of Access (also called a Data Subject Access Request or DSAR in many jurisdictions) allows you to obtain:
- Confirmation that an organization is processing your personal data;
- A copy of the personal data they hold about you;
- Additional details about how and why your data is processed.
Legal Basis
- GDPR (Article 15): Grants individuals the right to access their personal information held by any data controller. ICO
- NDPA (Section 34): Recognizes the right of data subjects to request and receive personal data from data controllers, including how it’s processed.
Across jurisdictions, the principle is the same: it ensures transparency, accountability, and trust between individuals and organizations.
Why the Right of Access Matters
Imagine you suspect a company has collected sensitive data about you without your consent—or you want to verify what your bank knows about your financial behavior. The right of access gives you the legal authority to find out.
Key Benefits
| Benefit | What It Means |
|---|---|
| Transparency | You see what data an organization holds about you. |
| Verification | You confirm whether processing is lawful. |
| Control | You can follow this up with requests to correct or delete your data. |
| Evidence | Useful for legal, financial or dispute purposes. |
Without access to your own data, it’s impossible to exercise other rights like rectification, erasure, or objecting to processing.
Who Can Make a Right of Access Request?
You can make a request if:
- You are a data subject (the person to whom the data belongs);
- You act on behalf of someone else with proper authorization (e.g., a legal guardian or attorney);
- You are legally appointed to manage someone’s data rights.
Tip: The request doesn’t need to reference “GDPR” or “NDPA” specifically—just clearly state that you want access to your personal data.
How to Submit a Right of Access Request (Step‑By‑Step)
Making your request correctly ensures a faster and smoother response.
1. Determine Who Holds Your Data
Identify the organization or data controller (e.g., bank, social network, employer) that you believe holds your personal data.
2. Prepare Your Request
Your DSAR should:
- Clearly state that you’re requesting access to your personal data;
- Include your full legal name, email, and any identifiers the organization might need (e.g., customer number);
- Be sent in writing (email or web form) for record‑keeping.
Example request template:
Subject: Data Access Request
I am requesting access to all personal data you hold about me, including purpose of processing, categories of data, and sharing details.
— [Your Full Name]
— [Address / Email / Contact Info]
3. Provide Proof of Identity
To protect your privacy, many organizations will ask for identity verification before fulfilling the request (e.g., ID scan).
4. Submit the Request
You can send the request:
- By email to the organization’s privacy or data protection contact;
- Through a DSAR web form if provided (e.g., NDPC portal); forms.ndpc.gov.ng
- In writing via letter or portal message.
What to Expect After You Submit Your Request
Response Timeline
Under many privacy laws (including GDPR), organizations have:
- 30 days to respond to your right of access request;
- An extension of up to two additional months if the request is complex or numerous.
If they extend the deadline, they must notify you explaining the reason.
What Should the Response Include?
A compliant response generally includes:
- Confirmation of data held about you;
- Copy of personal data (in a commonly used format);
- Processing details (why it’s used, retention period, legal basis);
- Recipients with whom your data has been shared;
- Your rights to challenge, rectify, or erase your data.
Real‑World Examples of Access Requests
Example 1: Social Media Data Export
A user requests all personal data from a social platform, including:
- Profile information;
- Messages involving the user;
- Data collected through tracking technologies (if applicable).
The platform provides a downloadable ZIP file containing structured CSV files with metadata, timestamps, and interactions.
Example 2: Bank Account Information
A customer asks their bank for all personal data used for risk profiling and credit scoring. The bank responds with:
- Transaction history logs;
- Risk evaluation files;
- Records of any automated decisions affecting credit limits.
Common Challenges and Practical Tips
Incomplete or Delayed Responses
Some organizations may provide partial data or miss the deadline. If that happens:
- Follow up in writing;
- Escalate to the data protection officer (DPO);
- Consider filing a complaint with the supervisory authority (e.g., NDPC or ICO).
Excessive or Complex Requests
If you request vast amounts of data or multiple types of records, the organization may:
- Ask for clarification;
- Charge a reasonable fee if the request is manifestly unfounded or excessive (rare under GDPR). ICO
Tips to Help You Find Your Data Faster
- Use clear subject lines (e.g., “Right of Access Request – [Your Name]”).
- Include all possible identifiers (emails, usernames, account numbers).
- Save all correspondence as proof of request and responses.
- Mention legal rights politely but firmly to signal seriousness.
Frequently Asked Questions (FAQs)
Q1. What is the difference between Right of Access and Right to Data Portability?
Both allow you to receive personal data, but data portability focuses on transferring data to another controller in a structured, machine‑readable format.
Q2. Can an organization refuse my request?
Yes, but only in limited cases—such as when fulfilling the request would violate another person’s privacy. If refused, they must explain why and tell you how to complain.
Q3. Do I have to pay to access my data?
Typically no, unless the request is excessive or repetitive.
Q4. What if my data includes third‑party information?
Controllers must redact or exclude information about others to protect their privacy.
Q5. Can I challenge incorrect data I receive?
Yes—once you have your data, you can request rectification or erasure if it’s inaccurate or unlawfully processed.
Empowering Yourself with Your Data
The Right of Access is more than a legal entitlement—it’s a tool for transparency, accountability, and empowerment in an increasingly data‑driven world.
By knowing how to request, interpret, and act on your personal data, you enhance your control over digital life, protect your privacy, and hold organizations accountable. Whether under the NDPA in Nigeria or the GDPR globally, exercising this right helps ensure fairness, trust, and compliance across the digital ecosystem.
Start today: draft your first request, submit it to a data controller, and take control of your personal data
Leave a Reply