Needle in the Haystack: Analyzing the Right of Access According to GDPR Article 15 Five Years after the Implementation

TL;DR

This study evaluates how well organizations comply with GDPR Article 15 by analyzing real-world data requests, revealing compliance levels, challenges, and patterns in data access experiences five years after regulation implementation.

Contribution

It provides a comprehensive quantitative analysis of GDPR Article 15 compliance, highlighting practical challenges and identifying patterns in data access requests across different organizations.

Findings

Some websites still compile data manually, causing delays.

A few organizations do not respond or provide non-machine-readable data.

Ten common patterns affect individuals' data access experiences.

Abstract

The General Data Protection Regulation (GDPR) was implemented in 2018 to strengthen and harmonize the data protection of individuals within the European Union. One key aspect is Article 15, which gives individuals the right to access their personal data in an understandable format. Organizations offering services to Europeans had five years' time to optimize their processes and functions to comply with Article 15. This study aims to explore the process of submitting and receiving the responses of organizations to GDPR Article 15 requests. A quantitative analysis obtains data from various websites to understand the level of conformity, the data received, and the challenges faced by individuals who request their data. The study differentiates organizations operating worldwide and in Germany, browser website- and app-based usage, and different types of websites. Thereby, we conclude that some websites still compile the data manually, resulting in longer waiting times. A few exceptions did not respond with any data or deliver machine-readable data (GDRP Article 20). The findings of the study additionally reveal ten patterns individuals face when requesting and accessing their data.