Right of Access: 3 Hidden Traps

Right of Access: 3 Hidden Traps

The right of access looks like the simplest right in the GDPR, which is exactly why it is the most heavily tested and the easiest to get wrong. Article 15 grants every data subject three things: confirmation that you are processing their data, a copy of that data, and the prescribed information about the processing. Examiners build their trickiest data-subject-rights questions around the right of access because the rule sounds obvious and the exceptions are narrow. Get the mechanics right and you protect a whole cluster of marks.

This sits in Domain II of the IAPP's Body of Knowledge for the CIPP/E exam, the document that lists every topic the exam can test. The right of access also reaches into transparency and accountability, so it rewards study out of proportion to its single article.

What the right of access actually grants

Strip away the noise and the right of access is short. The data subject can ask whether you process their personal data; if you do, they can have a copy and the supplementary information set out in Article 15 of the GDPR, including the purposes, the recipients, the retention period and the source of the data. They do not have to give a reason. The EDPB Guidelines 01/2022 on the right of access are blunt on this point: the controller may not demand to know why the request is being made, nor whether it will help the data subject.

The mechanics that questions exploit

Three operational details turn up again and again, and each one anchors a trap.

Timing and fees

You have one month to respond. You may extend by a further two months where the request is complex or where the data subject has made numerous requests, provided you tell them inside the first month. The response is free; you may charge only in the narrow case of a manifestly unfounded or excessive request, and even then the burden sits on you to show it. The UK regulator's guidance on the right of access reflects the same logic for organisations now feeling real operational pressure as request volumes climb.

Identity and proportionality

You may confirm the requester's identity before you disclose, but the check must be proportionate. You cannot demand a passport scan for a request about an email address you already hold and recognise. Over-verification works as a delaying tactic, and both the regulators and the exam treat it as one.

The limits on the right of access

The right of access is not absolute, and this is where careful candidates pull ahead. Third-party data and the rights of others can require redaction; trade secrets and intellectual property can limit what you hand over; and Member State law, under Article 23, can restrict the right for purposes such as crime prevention or national security. None of these is a licence to refuse the whole request. The duty is to give the data subject their own data, redacting or withholding only the specific parts that genuinely engage another protection.

Three right of access traps to rehearse

The examiners reuse the same three patterns, so name them now and they lose their power.

The first invents a fee. A stem describes a routine request and offers a "reasonable administrative charge" as the correct response. There is no such charge for an ordinary request; the response is free, and that option is bait.

The second overstates the refusal grounds. A question lets a controller refuse the request outright because some of the data touches a third party. The right answer redacts the third-party element and discloses the rest, because a single complication does not extinguish the whole right.

The third uses one limit to justify withholding everything. A trade secret sits somewhere in the file, so the controller releases nothing. The exam rewards the proportionate answer: protect the secret, disclose the remainder.

Why the right of access connects to the rest of the exam

The right of access does not stand alone. It runs straight into the transparency duties of Articles 12 to 14 and into the accountability and documentation obligations the GDPR places on controllers. A candidate who understands how those pieces lock together reads the scenario questions far more calmly, because the same facts keep pointing back to the same handful of rules. Our walk-through of responding to a data subject access request covers the operational side, and the note on GDPR transparency obligations covers the information you must give upfront. If you are sequencing revision, a study plan weighted by exam domain tells you how much time this rights-heavy area deserves.

See where your reasoning holds and where it slips under time pressure at 22academy.com/study.

Share this Post


Ready to kick-start your career?

GET STARTED NOW



About The Blog


Stay up to date with the latest news, background articles, and tips for your study.


Our latest video





22Academy

Tailored Training Solutions

Let's find the best education solution for your situation. We will contact you for Free Support!

Success! Your message has been sent to us.
Error! There was an error sending your message.
It’s for:
We will only use your email address to contact you regarding your education needs. We do not sell your personal data to third parties.