This is not a lawyer and does not provide legal advice. An experimental tool for general information only.

GDPR Data Access Rights: How to Request Your Personal Data in Germany & Austria (2026)

Germany · Austria · EU

You Have a Right to Know What Companies Know About You

Under the General Data Protection Regulation (GDPR, in German DSGVO), every person in the EU has the right to request a copy of their personal data held by any company, organization, or public body. This is called the right of access (Auskunftsrecht). In Germany and Austria, this right is enforced by national data protection authorities (Datenschutzbehörden) and can be exercised free of charge in most cases.

This guide explains what the law says, how to make a request step by step, and what to do if an organization refuses or delays. We cover the specific legal frameworks in Germany and Austria, including the Bundesdatenschutzgesetz (BDSG) and Datenschutzgesetz (DSG).

What the Law Actually Says

Article 15 of the GDPR (Art. 15 DSGVO) grants you the right to obtain confirmation whether your personal data is being processed, and if so, access to that data and specific information including:

  • The purposes of processing
  • The categories of personal data concerned
  • The recipients or categories of recipients (especially in third countries)
  • The envisaged storage period or the criteria used to determine it
  • The existence of the right to rectification, erasure, restriction, and objection
  • The right to lodge a complaint with a supervisory authority
  • Any available information about the source of the data (if not collected from you directly)
  • The existence of automated decision-making, including profiling

In Germany, the GDPR is supplemented by the Bundesdatenschutzgesetz (BDSG) (Federal Data Protection Act), which provides limited exceptions for trade secrets and certain public interests (§ 34 BDSG). In Austria, the Datenschutzgesetz (DSG) (Data Protection Act) contains similar provisions, but with some differences in enforcement and exceptions.

Step-by-Step: How to Request Your Data

Step 1: Identify the Data Controller

Before you request, determine which organization holds your data. This could be a social media platform, your employer, a bank, an insurance company, a telecom provider, or even a government agency. The controller is the entity that decides why and how your data is processed.

Step 2: Prepare Your Request

You do not need to use a special form. A simple email or letter is sufficient. However, to ensure your request is legally valid, include:

  • Your full name and address (for identification)
  • A clear statement: “I am exercising my right of access under Article 15 GDPR” (Ich mache mein Auskunftsrecht gemäß Art. 15 DSGVO geltend)
  • Specific details if you only want certain data (e.g., “all data related to my account from January 2020 to December 2025”)
  • Proof of identity (e.g., a copy of your ID, but only if necessary – you can black out the ID number)

Sample opening sentence: “I hereby request access to all personal data you process about me, in accordance with Art. 15 DSGVO. Please provide this information in a commonly used electronic format.”

Step 3: Send the Request

Send the request to the data protection officer (Datenschutzbeauftragter) or the customer service address of the organization. Keep a copy and proof of sending (e.g., email with read receipt or registered mail).

Step 4: Wait for a Response

The controller must respond within one month (Art. 12(3) GDPR). In complex cases, this can be extended by two months, but they must inform you of the delay. The response must include the information listed above, and in most cases, a copy of your data is provided free of charge. If the request is manifestly unfounded or excessive, the controller may charge a reasonable fee or refuse.

Step 5: What to Do If They Refuse or Ignore You

If the organization does not respond, delays unreasonably, or refuses without a valid legal basis (e.g., trade secrets under § 34 BDSG), you can:

  • File a complaint with the data protection authority (Datenschutzbehörde) – in Germany, this is the Bundesbeauftragter für den Datenschutz und die Informationsfreiheit (BfDI) for federal bodies, or the respective state authority (Landesdatenschutzbeauftragter); in Austria, it is the Datenschutzbehörde (DSB).
  • Seek a court order (but this is rarely needed if you go to the authority first).

Jurisdiction-Specific Nuances: Germany vs. Austria

Germany

In Germany, the BDSG provides an important exception: under § 34 BDSG, a controller may refuse to provide access if the data is processed for scientific research purposes or if providing access would reveal trade secrets or confidential information. However, this exception is interpreted narrowly by courts. Additionally, Germany has 16 state data protection authorities, so the correct authority depends on where the controller is based. For private companies, it is usually the authority of the state where the company has its main establishment.

Austria

Austria’s DSG (Datenschutzgesetz) largely mirrors the GDPR but includes specific provisions for video surveillance (§ 12 DSG) and employee data (§ 13 DSG). The Austrian Datenschutzbehörde (DSB) is the single national authority, making it easier to file a complaint. Austrian law also allows for a fee of up to € 20 for repeated or excessive requests, but the first request per year is free.

Practical Differences

In Germany, you may need to specify whether you want data from a specific time period because controllers sometimes argue that broad requests are excessive. In Austria, the DSB has taken a more user-friendly stance, emphasizing that controllers must provide a complete overview even without specific time frames. Always keep records of your communication in both countries.

Frequently Asked Questions (FAQ)

1. Do I have to pay for my data?

No, the first copy of your data must be provided free of charge (Art. 12(5) GDPR). However, if you make repeated or excessive requests, the controller may charge a reasonable fee based on administrative costs.

2. Can my employer deny my request?

Employers can deny access only if it would reveal trade secrets or violate the rights of other employees (e.g., in disciplinary proceedings). In Germany, § 34 BDSG and court rulings (e.g., BAG, Urteil vom 27.07.2021) provide limited exceptions, but you should still request and then complain if denied.

3. How long does the company have to respond?

One month from receipt of your request. The controller can extend this by two months if the request is complex, but they must inform you within the first month.

4. What format will I get my data in?

You have the right to receive the data in a commonly used electronic format (e.g., PDF, CSV, or JSON). The controller cannot force you to accept a paper copy if you prefer digital.

5. What if the company says they deleted my data?

They must still provide information about the deletion, including why and when it was deleted, unless this is impossible or involves disproportionate effort. If they claim deletion, ask for proof.

6. Can I request data from a company in another EU country?

Yes, the GDPR applies across the EU. If the company is based in another member state, you can still request data. If they refuse, you can complain to the data protection authority in your country, which will cooperate with the authority in the other country.

Official Resources

For further reading and to file a complaint, use these official sources:

Remember: This article provides general information, not legal advice. If you face a complex situation, consult a lawyer specializing in data protection law.

Ask about your specific situation ↘

Have a specific situation?