Right of access — see what a company has on you (GDPR Art. 15)

The right of access (GDPR Art. 15) is your most important GDPR right. It unlocks all others: without seeing what they hold, you can't know what to correct, delete, or restrict. What do you get? A copy of all personal data they hold on you, plus an explanation of: processing purposes, data categories, recipients (who else got it?), retention period, your rights, source of data if not from you, and whether automated decision-making is involved. How to request? In writing (email or letter). No prescribed form. Include: your name, contact details, ID (passport copy with BSN and photo number blocked except face), and what you want to see. Many businesses have a DPO email or web form. Response time: 1 month, extendable by 2 additional months for complex requests (Art. 12(3)) — they must inform you of this within the first month. Cost: first copy is free. For repeated or clearly unreasonable requests they may charge "reasonable fees" or refuse. Exceptions: they may refuse if your request infringes others' rights (e.g. data of another customer in the same email thread). Medical records may also have sector-specific rules (Dutch WGBO). If they don't respond? Send a formal demand letter (final 2-week notice). No response? Complaint to the Autoriteit Persoonsgegevens. Example: Booking.com retains your search and booking history, payment methods, IP addresses, devices, customer service messages. An access request often yields a ZIP with hundreds of MB of JSON files — a goldmine for seeing what they actually hold.