GDPR
GDPR Access Requests: 83.5% Failed, Says noyb
By Steven | TrustYourWebsite2 min read
Source: noyb.eu
What happened
According to noyb, a European privacy rights organisation, only 16.5% of access requests it filed with companies over the past eight years received a satisfactory reply. The analysis, published on 16 April 2026, covered 121 access requests filed since 2018.
According to noyb's findings, 53.7% of replies were incomplete and almost 30% received no reply at all. In total, noyb reports that 83.5% of access requests were not answered in line with the law.
It is worth noting that these figures come from noyb's own internal analysis, not from a regulatory authority. The statistics are self-reported by noyb, so they should be read with that context in mind.
What is a right of access?
Under Article 15 GDPR, people have the right to ask any company what personal data it holds about them. This is one of the most commonly used rights under data protection law. Companies are required under Article 12(5) GDPR to respond properly to these requests.
According to noyb, companies including TikTok, AliExpress, WeChat and Xandr (a Microsoft subsidiary) are cited as examples of businesses that failed to fulfil access requests, even after multiple follow-up attempts.
Why noyb published this now
According to noyb, the analysis is a direct response to a European Commission proposal called the Digital Omnibus, which would restrict the right of access under Articles 12(5) and 15 GDPR. The proposal reportedly argues that the right of access is being widely "abused" by individuals.
noyb disputes this framing. According to the organisation, the real problem is not abuse by individuals but non-compliance by companies. noyb uses these findings to argue against the proposed restrictions.
No fine or regulatory decision was issued as part of this analysis.
What does this mean for your website?
If someone contacts your business asking to see the personal data you hold about them, you are legally required to respond properly under Article 15 GDPR. Ignoring or giving an incomplete answer to an access request is itself a compliance problem, regardless of what changes may come from future legislation. If you are unsure whether your business handles these requests correctly, our GDPR compliance checklist and privacy policy requirements guide are a good place to start.
Check your website now
Free website scan covering GDPR, copyright, accessibility, security, and more.
Start free checkRelated articles
GDPR
Digital Omnibus Report: noyb Analysis & EDPB Opinion
noyb published version 3 of its Digital Omnibus analysis report on 24 February 2026, adding commentary on the joint EDPB/EDPS opinion on the data part of the Digital Omnibus published on 11 February…
2 min read
GDPR
Dutch AP Warns: Orgs Fail to Limit Data Breach Impact
The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) published a position paper stating that many organisations fail to take measures to limit the impact of data breaches, ahead of a…
2 min read
CookiesGDPR
ICO's New Cookie Rules: What UK Website Owners Need to Do
The ICO has published its final guidance on cookies and tracking tech. Here's what changed under the new rules and what your UK website needs to check now.
5 min read