Finding, getting and understanding: the user journey for the GDPR’S right to access

ABSTRACT In both data protection law and research of usable privacy, awareness and control over the collection and use of personal data are understood to be cornerstones of digital sovereignty. For example, the European General Data Protection Regulation (GDPR) provides data subjects with the right to access data collected by organisations but remains unclear on the concrete process design. However, the design of data subject rights is crucial when it comes to the ability of customers to exercise their right and fulfil regulatory aims such as transparency. To learn more about user needs in implementing the right to access as per GDPR, we conducted a two-step study. First, we defined a five-phase user experience journey regarding the right to access: finding, authentication, request, access and data use. Second, and based on this model, 59 participants exercised their right to access and evaluated the usability of each phase. Drawing on 422 datasets spanning 139 organisations, our results show several interdependencies of process design and user satisfaction. Thereby, our insights inform the community of usable privacy and especially the design of the right to access with a first, yet robust, empirical body.

• Publication year

  2022

• Venue

  Behavior and Information Technology

• Publication date

  2022-05-27

• Fields of study

  Law, Computer Science

• Identifiers
  DOI 10.1080/0144929X.2022.2074894
• External record

  Open on Semantic Scholar

• Source metadata

  Semantic Scholar

• No claims are published for this paper.

• No concepts are published for this paper.

• A Case Study on the Implementation of the Right of Access in Privacy Dashboards

  2021cited by this paper
• Alexa, We Need to Talk: A Data Literacy Approach on Voice Assistants

  2021influential reference
• Data Privacy: A Driver for Competitive Advantage

  2021cited by this paper
• Personal Data Protection as an Element of Competitive Advantage

  2020cited by this paper
• "Miss understandable": a study on how users appropriate voice assistants and deal with misunderstandings

  2020cited by this paper
• User-friendly formulation of data processing purposes of voice assistants: a user perspective on the principle of purpose limitation

  2020cited by this paper
• How do app vendors respond to subject access requests? A longitudinal privacy study on iOS and Android Apps

  2020cited by this paper
• Data Dashboard: Exploring Centralization and Customization in Personal Data Curation

  2020cited by this paper
• Co-Regulation and the Competitive Advantage in the GDPR: Data Protection Certification Mechanisms, Codes of Conduct and the 'State of the Art' of Data Protection-by-Design

  2019cited by this paper
• A Study on Subject Data Access in Online Advertising After the GDPR

  2019influential reference
• Accomplishing Transparency within the General Data Protection Regulation

  2019cited by this paper
• The impact of transparency on mobile privacy decision making

  2019cited by this paper
• Can I Opt Out Yet?: GDPR and the Global Illusion of Cookie Control

  2019cited by this paper
• GDPR-Reality Check on the Right to Access Data: Claiming and Investigating Personally Identifiable Data from Companies

  2019influential reference
• Privacy-By-Design für das Connected Car: Architekturen aus Verbrauchersicht

  2018cited by this paper
• User control of personal data : A study of personal data management in a GDPR-compliant grahpical user interface

  2018cited by this paper
• EU-Datenschutz-Grundverordnung (DSGVO)

  2018cited by this paper
• Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation – GDPR)

  2018cited by this paper
• Home Sweet Home? Investigating Users’ Awareness of Smart Home Privacy Threats

  2018cited by this paper
• Should We Be Concerned About Data-opolies?

  2018cited by this paper
• Grounded Design: A Research Paradigm in Practice-based Computing

  2018cited by this paper
• How Portable is Portable?: Exercising the GDPR's Right to Data Portability

  2018cited by this paper
• Evolving Needs in IoT Control and Accountability

  2018influential reference
• Assessment of feedback modalities for wearable visual aids in blind mobility

  2017cited by this paper
• What Happened in my Home?: An End-User Development Approach for Smart Home Data Visualization

  2017cited by this paper
• The right to data portability in the GDPR: Towards user-centric interoperability of digital services

  2017cited by this paper
• So Much Promise, So Little Use: What is Stopping Home End-Users from Using Password Manager Applications?

  2017cited by this paper
• Designing a GDPR-Compliant and Usable Privacy Dashboard

  2017influential reference
• Grounded Design – a praxeological IS research perspective

  2017influential reference
• “This has to be the cats”: Personal Data Legibility in Networked Sensing Systems

  2016cited by this paper
• Visualization of Complex Health Data on Mobile Devices

  2016cited by this paper
• Watching Them Watching Me: Browser Extensions Impact on User Privacy Awareness and Concern

  2016cited by this paper
• Customer Data : Designing for Transparency and Trust

  2015cited by this paper
• "My Data Just Goes Everywhere: " User Mental Models of the Internet and Implications for Privacy and Security

  2015cited by this paper
• Theory of Planned Behavior

  2015cited by this paper
• Usable Transparency with the Data Track: A Tool for Visualizing Data Disclosures

  2015cited by this paper
• A Design Space for Effective Privacy Notices

  2015cited by this paper
• Instantiation Validity in IS Design Research

  2014cited by this paper
• My data store: toward user awareness and control on personal data

  2014cited by this paper
• Disagreeable Privacy Policies: Mismatches between Meaning and Users’ Understanding

  2014cited by this paper
• Patients want granular privacy control over health information in electronic medical records

  2013cited by this paper
• How can Cloud Users be Supported in Deciding on, Tracking and Controlling How their Data are Used?

  2013cited by this paper
• "Little brothers watching you": raising awareness of data leaks on smartphones

  2013cited by this paper
• Positioning and Presenting Design Science Research for Maximum Impact

  2013cited by this paper
• Big Data for All: Privacy and User Control in the Age of Analytics

  2012cited by this paper
• How to Ask for Permission

  2012cited by this paper
• Android permissions: user attention, comprehension, and behavior

  2012cited by this paper
• DESIGN THINKING VS. LEAN STARTUP: A COMPARISON OF TWO USER-DRIVEN INNOVATION STRATEGIES

  2012cited by this paper
• Engaging with practices: design case studies as a research framework in CSCW

  2011cited by this paper
• Exploring the Role of Control - Smart Meter Acceptance of Residential Consumers

  2010influential reference
• Understanding and designing appropriation infrastructures : artifacts as boundary objects in the continuous software development

  2010cited by this paper
• TaintDroid

  2010cited by this paper
• Determining what individual SUS scores mean: adding an adjective rating scale

  2009cited by this paper
• A comprehensive simulation tool for the analysis of password policies

  2009cited by this paper
• Theory Development in Design Science Research: Anatomy of a Research Project

  2008influential reference
• Privacy Awareness: A Means to Solve the Privacy Paradox?

  2008cited by this paper
• Perceived Control: Scales for Privacy in Ubiquitous Computing

  2007cited by this paper
• The role of theory and theorising in Design Science research

  2006cited by this paper
• How to Conduct a Heuristic Evaluation

  2006cited by this paper
• The Nature of Theory in Information Systems

  2006influential reference
• A framework for Design Science research activities

  2006cited by this paper
• Independent consultant

  2003cited by this paper
• Internet Use Among College Students: An Exploratory Study

  2001cited by this paper
• Intelligibility and Accountability: Human Considerations in Context-Aware Systems

  2001cited by this paper
• A simple way to calculate the gini coefficient, and some implications

  1997cited by this paper
• Making Passwords Secure and Usable

  1997cited by this paper

• Digital Sovereignty and The Right To Data: A Comparative Study Between Indonesia, The European Union, and The United States

  2025cites this paper
• Streaming Intelligence: Securing, Scaling and Observing Cloud-Native Data Pipelines with LLMOps

  2025cites this paper
• Unravelling the customer journey: A conceptual framework and research agenda

  2025cites this paper
• Evaluating GDPR right to information implementation in automated insurance decisions

  2025influential citation
• Sensitive data donation in practice: unforeseen challenges and lessons learned

  2025cites this paper
• "You Can either Blame Technology or Blame a Person..." --- A Conceptual Model of Users' AI-Risk Perception as a Tool for HCI

  2024cites this paper
• Unlocking personal data from online services: user studies on data export experiences and data transfer scenarios

  2024cites this paper
• How to Drill into Silos: Creating a Free-to-Use Dataset of Data Subject Access Packages

  2024cites this paper
• Online Content Creators’ and Viewers’ Interdependent Journeys

  2024cites this paper
• Access Your Data... if You Can: An Analysis of Dark Patterns Against the Right of Access on Popular Websites

  2024cites this paper
• Digital Sovereignty: What it is and why it matters for HCI

  2023cites this paper
• Needle in the Haystack: Analyzing the Right of Access According to GDPR Article 15 Five Years after the Implementation

  2023cites this paper