European Union

A company won't tell me why they're processing my data. What information must they provide?

1 month
Response deadline
GDPR Art. 15
Right of access
GDPR Art. 13
Pre-processing info
Free of charge
First request cost
The Short Answer

Under EU law, a company must tell you why they’re processing your data, what legal basis they rely on, who receives it, how long it’s kept, and your rights — all within one month of your request.

What the Law Says

The General Data Protection Regulation (GDPR) gives you strong rights to know how and why your personal data is being processed. Companies must be transparent — both before collecting your data and when you ask for details.

When a company collects your data directly (e.g., via a sign-up form), they must provide key information at the time of collection — including the purpose of processing, the legal basis (e.g., consent or legitimate interest), recipients of the data, retention periods, and your right to withdraw consent or lodge a complaint.

If you make a formal request (a 'subject access request'), the company must respond within one month. They must confirm whether they’re processing your data, and if so, provide: the purposes of processing; the categories of personal data concerned; the recipients or categories of recipients; the envisaged retention period; the existence of your rights to rectification, erasure, restriction, objection, and to lodge a complaint; and where the data wasn’t collected from you, the source.

This information must be provided free of charge for the first request. A reasonable fee may be charged only for manifestly unfounded or excessive requests.

Statutory Text

The controller shall provide the data subject with a copy of the personal data undergoing processing. The controller may charge a reasonable fee based on administrative costs for any further copies requested by the data subject.

Regulation (EU) 2016/679, Art. 15(3) — Right of access by the data subject
Statutory Text

Information to be provided where personal data are collected from the data subject: the identity and contact details of the controller… the purposes of the processing… the legal basis for the processing… the recipients… the period for which the personal data will be stored… the existence of the right to request… erasure… restriction… objection… and the right to lodge a complaint.

Regulation (EU) 2016/679, Art. 13(1)–(2) — Information to be provided where personal data are collected from the data subject

What to Do

1

Submit a clear, written request (email is acceptable) to the company’s data protection officer or general contact address, asking for the purposes and legal basis of processing your data.

2

Keep a record of when you sent the request — the company has one month to respond (extendable by two months for complex requests, with explanation).

3

If they refuse or don’t reply, contact your national data protection authority (e.g., CNIL in France, ICO in the UK pre-Brexit, or the Irish DPC for many EU-based tech firms).

4

You can also ask for correction, erasure, or restriction of processing if the information provided shows misuse.

Sources

statuteRegulation (EU) 2016/679, Art. 13 — Information to be provided where personal data are collected from the data subjectstatuteRegulation (EU) 2016/679, Art. 15 — Right of access by the data subject

Not legal advice. This article is general information based on publicly available sources, written for educational purposes. Laws change and individual situations vary. Consult a licensed attorney in your jurisdiction before acting on anything you read here. Last reviewed: 2026-06-08.