When your data is identified, must the copy be provided?
In November 2025, a data subject exercised a right that is meant to be straightforward. An email was sent to Worldline IT Services UK Limited, addressed to its Data Protection Officer, invoking Articles 12–15 of the UK GDPR. The request asked how personal data had been processed and disclosed. It was made in writing, clearly and directly. It did not use a proprietary form which Worldline use via the compant OneTrust. It did not rely on a portal. It did not seek to bypass process. It asked, in ordinary terms, for access.
From the outset, Worldline UK accepted that the request was valid. In correspondence responding to debate over whether the data subject could be compelled to use an online access portal (OneTrust), the company confirmed, accurately, that a subject access request “may be made verbally or in writing” and that “the method of submission is unrestricted.” That acknowledgment is significant. It marks the point at which procedural preference yields to principle: access does not depend on format.
Yet what followed illustrates how easily that principle can narrow in practice.
Early responses focused less on the substance of the request than on how it should be handled. The requester was encouraged to submit the same request again through an internal platform, described as a tool designed to ensure traceability and compliance. The advantages of the system were explained carefully and at length though only insofar as it benefitted Worldline UK.
There is nothing unusual in an organisation preferring structured workflows. What is notable is that this preference was articulated alongside an express concession that no such workflow was required by the ICO guidance. The right of access was recognised as freestanding, even as it was gently reframed as something better exercised through corporate infrastructure. For a reader unfamiliar with data protection law, that tension may pass unnoticed. For those who understand it, the point is simple: a statutory right does not improve by being routed through a system, and it does not diminish when exercised outside one.
Put more simply, this means that while a company may prefer you to use its online forms or internal systems, it cannot insist on them.
The Response
In December 2025, Worldline UK issued its response. The format was familiar. The email contained a narrative explanation and an annexed table. The “schedule” table listed categories of personal data, recipients, and general purposes of processing.
What it did not include were actual copies of the materials in which the personal data appeared. Emails were not produced. Records were not reproduced. Communications were not disclosed. Instead, the response drew a boundary around what Worldline UK considered the requester “entitled” to receive, stating that information beyond the annex would not be provided.
This is the moment at which the question of access becomes a question of meaning.
There is a material difference between being told about data and being allowed to see it. That difference is not academic. A description can confirm that data exists. A copy allows a person to read what was written, understand context, and check whether the data has been used accurately. One reassures. The other verifies.
The annex provided by Worldline UK performs the first function well. It catalogues. It summarises. It situates processing within organisational structures. What it does not do is allow inspection of the data itself.
By the time this issue was raised again in January 2026, the statutory one-month period for responding to the data subject access request had already expired, and no extension under Article 12(3) UK GDPR had been notified. The follow-up was narrow and precise. It asked why, where no legal professional privilege or other exemption had been asserted, copies of the personal data were not being provided.
At that point, the only material supplied within the statutory period was a schedule response accompanied by a descriptive annex according to Worldline’s opinion of the data. In those circumstances, some readers may reasonably ask whether providing only a high-level schedule, without copies of the personal data itself and without reliance on a stated exemption, is consistent with the obligations imposed by Articles 12 and 15 UK GDPR. That question was put directly to Worldline UK. It remains unanswered.
One of the more revealing aspects of the exchange is its language. The response states that Worldline UK “does not intend to provide” certain material and that it will not provide information to which the requester is “not entitled.”
In everyday terms, the law does not ask organisations to explain your data to you — it asks them to provide it.
It subtly shifts the centre of gravity away from a right of access and towards the discretion of the controller. Access rights are not permissions conferred by organisations. They are obligations imposed on them. When the language of response begins to resemble policy rather than disclosure, that balance begins to tilt.
Worldline UK also referred to identity verification, validation steps, and clock-stopping. These are legitimate considerations.
This article does not provide legal advice, nor does it seek to determine definitively whether the response complies with data protection law. Its purpose is narrower and more practical. It documents, in real time, how a data subject access request is dealt with by large organisations using Worldline UK as a test case.
That exercise matters in the public interest. Data protection rights are experienced not in statutes or guidance, but in correspondence between individuals and corporations that hold significant volumes of personal data. How large organisations respond to those requests, what they provide, what they withhold, and how and if they are candid, shapes the real-world meaning of those rights. Setting out that process transparently allows readers to see how accountability operates in practice, and to judge for themselves whether access is being delivered as substance, or as form.
Put simply, this is about whether people can actually see the information held about them, or are only told about it. For large organisations, the way they handle such requests sets the practical limits of a right that is meant to apply to everyone.
The correspondence and annex reproduced below are published without commentary or alteration, save for the redaction of personal contact details. They are offered as a record. Read together, they show how access is delivered at the level of description rather than inspection, and they make one point unmistakably clear: members of the public do not need a portal, a login, or a proprietary form to ask for their own data, even when encouraged to use one.
That alone is worth setting out.
The question that remains is also simple. When personal data has been identified, and no exemption is relied upon, what does access require in practice, a summary, or the data itself? As organisations increasingly seek rely on schedules and tables to respond to requests, that question will not go away. It will be answered, one request at a time, in exchanges like this.
Disclaimer
This article is published in the public interest for informational purposes only. It does not constitute legal advice, regulatory guidance, or a determination of compliance or non-compliance with data protection law. The article does not allege wrongdoing by Worldline IT Services UK Limited or any individual. It documents and describes, based on contemporaneous correspondence, how a data subject access request was handled in practice, and raises questions of transparency and access that arise from that record. The correspondence and annex reproduced below are published verbatim, save for the redaction of personal contact details. No words have been altered, and no commentary has been inserted into the documents themselves. Readers are invited to draw their own conclusions.
