As a researcher in data rights, I often use my own data rights. The right to access is one of the most powerful and well-understood of the rights that exist in data protection law. These rights are quite detailed in their potentency, and its full potential is not often met by confused (or reluctant) data controllers without pushing them pretty hard.
I therefore present a weapon of mass data rights: a powerful template letter designed to get the very most from your rights in the opening shot. There is no need to use this with particular care, as courts have repeatedly held that you do not need any particular justification or set motive to utilise your fundamental right to access information.
The template is available below in this blog, as well as on this GitHub repo (currently in MarkDown and Word formats). The template below is CC-0 1.0, which means I waive copyright to the maximum extent possible worldwide.
I'm going to continue to update it as more guidance and legal clarity comes out over time, and on request. A variety of people and sources were useful in crafting this letter.
Edit 25-17-2019: Clarified that this letter is CC-0.
Durham County Council v D  EWCA Civ 1654 ; Gurieva v. Community Safety Development Ltd  EWHC 643 (QB) [67-72]; Dawson-Damer & Ors v Taylor Wessing LLP  EWCA Civ 74 [105-113]; Ittihadieh v 5-11 Cheyne Gardens RTM Company Ltd & Ors  EWCA Civ 121 [104-110]; DB v General Medical Council  EWCA Civ 1497 . ↩︎
Some of the latter part of the letter is drawn from that used in Janis Wong and Tristan Henderson, ‘The Right to Data Portability in Practice: Exploring the Implications of the Technologically Neutral GDPR’  International Data Privacy Law doi:10.1093/idpl/ipz008. Jef Ausloos also helped think through an earlier version of this letter when the GDPR first became enforceable in May 2018. ↩︎
Dear DATA CONTROLLER,
This is a transparency request under the General Data Protection Regulation, including a subject access request, a portability request, and other specific provisions. Please note that it is not legal to require data subjects to use an in-house form.
I would like to request a copy of all my personal data held and/or undergoing processing. This is both a subject access request and a portability request.
Copies of my personal data
For data falling within the right to data portability (GDPR, art 20), which includes all data I have provided and which have been indirectly observed about me and where lawful bases for processing include consent or contract, I wish to have that data:
sent to me in commonly used, structured, machine-readable format, such as a CSV file. A PDF is not a machine-readable format.
accompanied with an intelligible description of all variables.
For all personal data not falling within portability, I would like to request, under the right to access (GDPR, art 15):
- a copy sent to me in electronic format. This includes any data derived about me, such as opinions, inferences, settings and preferences. For data that is available to the controller in machine readable format, it must be provided to me in that form in accordance with the principle of fairness and provision of data protection by design.
If your organisation considers me a controller for whom you process
Furthermore, if your business considers me the controller of any personal data for which your business acts as processor, please provide me with all the data you process on my behalf in machine readable format in accordance with your obligation to respect my to determination of the means and purposes of processing.
Metadata on processing
This request also includes the metadata I am entitled to under the GDPR.
Information on controllers, processors, source and transfers
The identity of of all joint controllers of my personal data.
Any third parties to whom data has been disclosed, named with contact details in accordance with Article 15(1)(c). As confirmed by the European Court of Justice, data controllers must provide the actual identity of those recipients, unless it is impossible to identify those recipients. If identifying individual recipients is truly impossible due to the controller holding no data about them within their broader systems, then the industry, sector and sub-sector and the location of the recipients must be identified.[3:1] Please note that in the case of any transferred data processed on the basis of consent, there is no option to just name categories of recipients without invalidating that legal basis.
If any data was not collected, observed or inferred from me directly, please provide precise information about the source of that data, including the name and contact email of the data controller(s) in question ("from which source the personal data originate", Article 14(2)(f)/15(1)(g)).
Please confirm where my personal data is physically stored (including backups) and at the very least whether it has exited the EU at any stage (if so, please also detail the legal grounds and safeguards for such data transfers).
Information on purposes and legal basis
All processing purposes and the lawful basis for those purposes by category of personal data. This list must be broken down by purpose, lawful basis aligned to purposes, and categories of data concerned aligned to purposes and lawful bases. Separate lists where these three factors do not correspond are not acceptable. A table may be the best way to display this information.
The specified legitimate interest where legitimate interest is relied upon (Article 14(2)(b)).
Information on automated decision-making
- Please confirm whether or not you make any automated decisions (within the meaning of Article 22, GDPR). If the answer is yes, please provide meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for me. (Article 15(1)(h))
Information on storage
- Please confirm for how long each category of personal data is stored, or the criteria used to make this decision, in accordance with the storage limitation principle and Article 15(1)(d).
To help identify me, I have attached the following personal information:
Additional Account Information: XXX.
If you do not normally deal with these requests, please pass this email to your Data Protection Officer. If you need advice on dealing with this request, the Information Commissioner's Office can assist you and can be contacted on 0303 123 1113 or at ico.org.uk.
In accordance with the law, I look forward to hearing from you within one month of receipt.
Information Commissioner’s Office, ‘Subject Access Code of Practice’ (9 June 2017) p 13; Information Commissioner’s Office, ‘Guide to the GDPR: Right to access’ (22 May 2019) (stating that 'even if you have a form, you should note that a subject access request is valid if it is submitted by any means, so you will still need to comply with any requests you receive in a letter, a standard email or verbally [..] although you may invite individuals to use a form, you must make it clear that it is not compulsory'). ↩︎
Article 29 Working Party, Guidelines on the Right to Data Portability (WP 242) (13 December 2016) 8. ↩︎
Note that opinions, inferences and the like are considered personal data. See Case C‑434/16 Peter Nowak v Data Protection Commissioner  ECLI:EU:C:2017:994, 34. ↩︎
Case C‑154/21 Österreichische Post AG ECLI:EU:C:2023:3. ↩︎
Article 29 Working Party, ‘Guidelines on Consent under Regulation 2016/679’ (WP259 rev.01, 10 April 2018) 13. ↩︎
Article 29 Working Party, ‘Guidelines on Transparency under Regulation 2016/679’ (WP260 rev.01, 11 April 2018), page 35. ↩︎