Can I ask a company for all the data it holds on me?
Yes — this is the right of access, one of the strongest rights under the GDPR, and it is free. Article 15 of the GDPR lets anyone ask a public or private organisation (the data controller) whether it holds data about them, obtain a copy, and learn why and with whom it is shared. You have no reason to give. The controller must reply within one month, extendable by two months for complex requests, and the request is free — a reasonable fee is allowed only for a manifestly excessive or repetitive request. If there is silence or a refusal, the National Commission for Data Protection (CNPD) can be seized. The myth: "a company can charge me or refuse for no reason" — false; access is in principle free, time-limited, and an unjustified refusal exposes the controller to a complaint before the CNPD.
📋 The rules
- Article 15 of the GDPR: anyone can obtain confirmation that an organisation processes their data and receive a copy, with no need to justify the request.
- Reply within 1 month: the controller must reply within one month of receipt, extendable by 2 months for complex requests.
- Free in principle: the first copy is free; a reasonable fee is allowed only for a manifestly excessive or repetitive request.
- Identity check: the controller may ask for reasonable proof of identity to avoid disclosing your data to a third party.
- Recourse to the CNPD: if refused, ignored or answered incompletely, you can bring a complaint before the CNPD, then the courts.
🔓 Exceptions
- Rights of others: access must not adversely affect the rights of others; data concerning other people may be redacted.
- Excessive request: a manifestly unfounded or repetitive request may justify a reasonable fee, or even a reasoned refusal by the controller.
- Legal limits: certain processing (criminal investigations, security, secrecy) is governed by special regimes that restrict the right of access.
⚠️ Penalties & fines
The real leverage is the CNPD's power to sanction. A controller who ignores an access request, wrongly charges for it or replies out of time breaches the GDPR and faces a complaint; the CNPD can open an investigation, issue an order to comply, and impose administrative fines reaching, in the gravest cases, 20 million euros or 4% of worldwide turnover. The data subject also has a judicial remedy and can claim compensation for any harm suffered. For the organisation, the stakes are not only financial: mishandling people's rights erodes trust and reputation. Conversely, a manifestly excessive request or one made to harass can legitimately be charged for or set aside, with evidence to back it up.
📎 Official sources
- CNPD · the right of access to your personal data →
- EUR-Lex · GDPR, Regulation (EU) 2016/679, article 15 (Official Journal of the EU) →
- Guichet.lu · personal data protection and remedies →
❓ Frequently asked
Do I have to explain why I am asking for my data?
No, the right of access is exercised without having to give any reason or particular justification. You simply ask the organisation whether it processes your data, and you can obtain a copy along with information on the purposes and the recipients.
How quickly must the company reply?
The data controller must reply within one month of receiving your request. This period can be extended by a further two months for complex or numerous requests, provided it informs you and explains the reason within the first month.
Can I be charged to access my data?
In principle no, the first copy of your data is provided free of charge. A reasonable fee, based on administrative costs, is allowed only for additional copies or where the request is manifestly unfounded or excessive, in particular repetitive.
What can I do if the organisation does not reply or refuses?
You can lodge a complaint with the National Commission for Data Protection, which can investigate and order the organisation to comply. You also have a remedy before the courts and can claim compensation for any harm you may have suffered.
Can I ask for access to data held by an employer or the State?
Yes, the right of access applies to private organisations as well as to public authorities subject to the GDPR. Certain sensitive processing, such as that linked to security or criminal investigations, is nonetheless governed by special regimes that may limit this access.
🔎 Common searches
What people search to land here:
- “gdpr right of access luxembourg”
- “request personal data luxembourg”
- “cnpd access request luxembourg”
- “gdpr reply one month luxembourg”
- “free copy personal data luxembourg”
- “complaint cnpd data luxembourg”