Germany

How do I exercise my right to access my personal data?

1 month
Response deadline
Free
No fee required
Art. 15 GDPR
Legal basis
BDSG §83
Remedy for violation
The Short Answer

You can request access to your personal data in writing or electronically from any data controller; they must respond within one month, free of charge, and provide a complete, intelligible copy of all your processed data.

What the Law Says

Your right to access personal data is guaranteed under EU law and directly applicable in Germany. It allows you to confirm whether a company or organization is processing your data—and if so, to obtain a full, clear copy of that data.

The primary legal basis is Article 15 of the General Data Protection Regulation (GDPR), which applies directly in Germany. It gives you the right to obtain confirmation from a data controller about whether your personal data is being processed, and—where applicable—to access that data, including its purpose, categories, recipients, storage period, and source.

While BDSG § 83 does not govern the access request itself, it provides a critical remedy: if a controller unlawfully refuses or fails to comply with your access request (e.g., by withholding data without justification), and this causes you harm—including non-material damage like distress—you may claim compensation under this provision.

Importantly, the access right is free of charge for the first request. Controllers may charge a reasonable fee only for manifestly unfounded or excessive requests—but they bear the burden of proving this.

Statutory Text

Hat ein Verantwortlicher einer betroffenen Person durch eine Verarbeitung personenbezogener Daten, die nach diesem Gesetz oder nach anderen auf ihre Verarbeitung anwendbaren Vorschriften rechtswidrig war, einen Schaden zugefügt, ist er oder sein Rechtsträger der betroffenen Person zum Schadensersatz verpflichtet.

BDSG § 83 (1) — German Federal Data Protection Act

What Courts Have Said

German courts have clarified that the right to access is broad and practical—not merely symbolic—and requires controllers to deliver usable, meaningful information.

BGH VI ZR 223/22
Bundesgerichtshof, 6. Zivilsenat · 2024

The court confirmed that the right to access under Art. 15 GDPR includes internal notes, emails, and correspondence containing personal data—unless a specific exemption (e.g., third-party rights or confidentiality) applies. The response must be comprehensive and intelligible, not fragmented or redacted beyond necessity.

What to Do

1

Submit a clear, written or electronic request to the controller’s data protection officer or general contact address—include your name, contact details, and description of the data you seek.

2

Keep proof of submission (e.g., email receipt, registered mail tracking number).

3

If you receive no reply within one month—or an incomplete, unclear, or unjustifiably refused response—file a complaint with the competent German data protection authority (e.g., LfDI Baden-Württemberg or BfDI for federal matters).

4

If you suffer material or non-material damage (e.g., stress, reputational harm) due to the violation, consider seeking compensation under BDSG § 83—possibly via civil litigation.

Sources

statuteBDSG § 83 — Right to compensation for data protection violationscaseBGH VI ZR 223/22 (2024) — Right to access includes internal correspondence

Related Questions

What rights do I have under the GDPR in Germany?Can I request a company to delete all my personal data?Can I sue for damages after a data protection violation?What can I do if a company has a data breach affecting me?

Same Question, Other Jurisdictions

CanadaAustraliaIrelandSingaporeEuropean UnionIndiaUKUS-CaliforniaCompare all →

Not legal advice. This article is general information based on publicly available sources, written for educational purposes. Laws change and individual situations vary. Consult a licensed attorney in your jurisdiction before acting on anything you read here. Last reviewed: June 2026.