← FFCheckAm I Allowed?ES
First copy of the data free, a reply within one month
Updated July 2026

🔐 How do I ask a company for access to my personal data under the GDPR?

Yes
Quick answer

Yes, under Article 15 of the General Data Protection Regulation (GDPR) and the Personal Data Protection Act (ZVOP-2) you have the right to learn from any controller whether it processes your personal data, and to see and get a copy of that data. You may make the request in writing or orally, without giving reasons. The controller must reply without undue delay and within one month at the latest; the deadline may be extended by up to two months if there are many or complex requests, of which it must inform you. The first copy of the data is free, while for further copies or manifestly unfounded and excessive requests it may charge a reasonable fee. The widespread myth that a company can simply refuse access or always charge for it is wrong - a refusal must be reasoned and open to complaint. The supervisory authority is the Information Commissioner (IP-RS), to whom you can complain if the controller does not reply or unjustifiably refuses. ZVOP-2 has applied in Slovenia since 26 January 2023.

📋 The rules

  • The right to access and a copy comes from Article 15 GDPR and ZVOP-2 (in force since 26 January 2023).
  • You may request it orally or in writing, without giving reasons; the controller may verify your identity.
  • The reply deadline is one month, exceptionally extendable by up to two months with notice of the reasons.
  • The first copy is free; a reasonable fee applies only to further copies or manifestly excessive, repeated requests.
  • If the controller refuses or stays silent, you can lodge a complaint with the Information Commissioner (IP-RS).

🔓 Exceptions

  • For state bodies and municipalities ZVOP-2 requires a formal decision; a complaint goes to IP-RS within 15 days of service.
  • The right to a copy must not affect the rights of others; the controller may redact third parties' data.
  • Manifestly unfounded or excessive (repeated) requests may be refused or charged for by the controller.

⚠️ Penalties & fines

A breach of the right of access is a data-protection breach, for which the GDPR sets high administrative fines - up to €20 million or 4% of annual worldwide turnover, whichever is higher. Supervision is carried out by the Information Commissioner, who can inspect, issue a decision with measures and fine the offender; for bodies to which GDPR administrative fines do not apply (such as the public sector), ZVOP-2 sets its own regulatory fines. An individual who suffers material or non-material damage from the breach can claim compensation from the controller in court. Beyond the money, a breach means a loss of trust and reputation, and the controller often has to set up proper procedures at its own expense. Ignoring the request or staying silent counts as a refusal, which opens the way to a complaint and supervisory action.

📎 Official sources

Last verified: 2026-07-12

❓ Frequently asked

How do I make an access request?

You can make the request orally or in writing directly to the controller that processes your data, and you need not give reasons. The controller may verify your identity before complying, so it does not hand the data to the wrong person.

Within what deadline must I get a reply?

The controller must reply without undue delay and within one month of receiving the request at the latest. It may extend this by up to two months if the request is complex or there are many requests, but it must inform you of the extension and the reasons.

Do I have to pay for a copy?

The first copy of your personal data is free, while for each further copy the controller may charge a reasonable fee based on cost. It may also charge for manifestly unfounded or excessive, repeated requests.

What if the company does not reply?

If the controller does not reply in time or unjustifiably refuses, you can lodge a complaint with the Information Commissioner. It can carry out an inspection, order the controller to comply and impose a fine for the data-protection breach.

Can I access data held by a state body?

Yes, you also have the right of access with state bodies and municipalities, and they must decide on the request by a formal decision. You can challenge their decision by complaining to the Information Commissioner within 15 days of service.

🔎 Common searches

What people search to land here:

  • “access to personal data gdpr”
  • “data subject access request”
  • “right to a copy of data”
  • “gdpr one month deadline”
  • “information commissioner complaint”
  • “zvop-2 individual rights”

🔗 Related questions