The DPA Subject Access Request response document is a mandatory compliance requirement under both the GDPR and German Federal Data Protection Act (BDSG). It must be provided when an individual (data subject) exercises their right to access their personal data under Article 15 GDPR. The document must be provided within one month of receipt of the request (with possible extension under specific circumstances) and should contain comprehensive information about all personal data processing activities, including the purposes of processing, categories of data, recipients, retention periods, and data subject rights. This response template is specifically designed to meet German legal requirements while ensuring full GDPR compliance, incorporating necessary elements to address both EU-wide and German-specific data protection obligations.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Your data doesn't train Genie's AI
You keep IP ownership of your docs
Alternatively...
1. Identity Confirmation: Confirmation of the data subject's identity and verification of their right to access
2. Request Acknowledgment: Formal acknowledgment of the subject access request, including date received and reference number
3. Processing Confirmation: Confirmation whether personal data concerning the data subject is being processed
4. Data Categories: List of categories of personal data being processed
5. Processing Purposes: Detailed explanation of the purposes for which the data is being processed
6. Recipients Disclosure: Information about recipients or categories of recipients with whom data has been or will be shared
7. Retention Period: Information about the planned data retention period or criteria used to determine it
8. Data Subject Rights: Information about the right to rectification, erasure, restriction of processing, and right to object
9. Complaint Rights: Information about the right to lodge a complaint with a supervisory authority
10. Data Source: Information about the source of the data (if not collected directly from the data subject)
11. Automated Decision-Making: Information about any automated decision-making, including profiling, and related logic
1. International Transfers: Required only if personal data is transferred to third countries or international organizations, including information about appropriate safeguards
2. Additional Data Subject Information: Any additional information specific to the data subject's circumstances or special categories of data
3. Processing Restrictions: Include when there are specific limitations or restrictions on the processing of the data subject's information
4. Third-Party Rights: Required when the response contains information about other individuals and explains handling of such third-party data
1. Data Inventory: Detailed list of all personal data held about the data subject, organized by data category
2. Processing Activities Log: Chronological log of processing activities related to the data subject's personal data
3. Data Sharing Record: Detailed record of all instances where the data subject's data has been shared with third parties
4. Technical Glossary: Explanation of technical terms and processing methods used in the response
5. Supporting Documentation: Copies of relevant documents, such as privacy notices or consent forms, referenced in the response
Is a DPA Subject Access Request response legally binding under German law?
Yes, DPA Subject Access Request responses are legally binding in Germany under Article 15 of the GDPR and the German Federal Data Protection Act (BDSG). Data controllers must provide complete and accurate information within one month of receiving the request. Failure to comply can result in administrative fines up to €20 million or 4% of annual global turnover under GDPR Article 83.
Do I need a lawyer to prepare a GDPR Article 15 response in Germany?
While not legally required, consulting a data protection lawyer is highly recommended for complex cases or large organizations. The response must comply with strict GDPR and BDSG requirements, and mistakes can lead to significant penalties. Small businesses with straightforward data processing may handle simple requests internally with proper templates and guidance.
What happens if my DPA Subject Access Request response is incomplete or missing information?
Incomplete responses violate GDPR Article 15 and can trigger enforcement action by German data protection authorities. The data subject can file a complaint with their state data protection authority (Landesdatenschutzbehörde), potentially leading to investigation and fines. You may also face civil claims for damages under GDPR Article 82.
Authors
Find the document you need
DPA Subject Access Request
A formal response document to a data subject access request under German law and GDPR, detailing personal data processing information and subject rights.
Download
Genie’s Security Promise
Genie is the safest place to draft. Here’s how we prioritise your privacy and security.
Your data is private:
We do not train on your data; Genie’s AI improves independently
All data stored on Genie is private to your organisation
Your documents are protected:
Your documents are protected by ultra-secure 256-bit encryption
We are ISO27001 certified, so your data is secure
Organizational security:
You retain IP ownership of your documents and their information
You have full control over your data and who gets to see it
