Access request GDPR: should you provide and retain copies of contracts?

Is a data subject entitled to a copy of the signed contract upon a request for inspection under the GDPR? And what if you can't find this contract due to a filing error? A recent decision by the Belgian Data Protection Authority (DPA) clarifies: yes, contracts are often essential to verify the lawfulness of processing. Their loss constitutes a breach of security obligation, even if the contractual relationship still legally exists.

The facts

In this case, a customer (the complainant) filed a complaint against Bank Y with the Belgian Data Protection Authority (DPA). Through a request for access (Article 15 GDPR), the complainant had asked for access to his personal data, but specifically also for copies of the opening contracts of his accounts and the corresponding bank cards.

The bank provided a summary of the personal data processed and referred to the terms and conditions on its website. However, for one specific account number, the bank had to admit that it no longer held the physical opening contracts due to ab “archiving problem.”.

The bank argued that it had fulfilled its duties by providing the data itself (in a statement) and that the physical contracts were not necessary, as the contractual relationship was clear from the use of the account.

The decision and regulations

The Litigation Chamber of the DPA ruled on the merits in its decision 08/2026 dated Jan. 26, 2026. The judgement rests on two main pillars: the right to copy and accountability.

1. Right to copy documents (CRIF jurisprudence).

The DPA refers to the CRIF ruling of the European Court of Justice (C-487/21). Although Article 15 GDPR strictly speaking gives the right to access data and not documents per se, the DPA ruled that providing the contracts here was indispensable.

The reasoning is as follows: one of the purposes of the right of access is to enable the data subject to verify the lawfulness of the processing. Since the processing of bank data is based on the performance of a contract (Article 6.1.b GDPR), the contract is the basis of the processing. Without access to this contract, the complainant cannot effectively exercise his rights (such as restriction of processing). Thus, the contracts were an integral part of the access request.

2. Security and loss of documents.

The bank was able to demonstrate that a contractual relationship did exist (via transaction history and other elements), which meant that the processing itself remained lawful under Article 6 GDPR.

However, the fact that the bank could no longer produce the physical contract was sanctioned. The DPA found that the loss of the contracts violated Articles 5.1.f (integrity and confidentiality), 25.1 (data protection by design) and 32 (security of processing) of the GDPR. The bank was reprimanded for this.

Legal analysis and interpretation

This decision, in line with recent Court of Cassation case law (ruling of January 10, 2025), confirms that the DPA has authority to assess the existence of a contract in the context of data protection. However, the judgement has broader implications for corporate compliance strategies.

The boundary of “essential” documentation

The crux of the decision lies in the characterization of the contracts as “essential” to the exercise of the data subject's rights. This is consistent with the CRIF doctrine: you do not have to provide a copy of every document unless it is necessary to understand the context and accuracy of the data. In this case, the contracts were the corpus on which the processing relied. This opens the door to discussions of proportionality: a creative requester may argue that each source document is “essential” to verify that the data was entered correctly.

A slippery slope to “excessive” archiving?

The DPA explicitly states that the data controller must have “appropriate mechanisms” to assess the need and ability to recover lost contracts. This seems to place a heavy burden on organizations. Does this mean that all documents, including logs from IT systems, must be kept for years?

The answer is nuanced: not everything must be kept, but rather the documentation that provides the legal basis (in this case, the contract) for your processing. If you process pursuant to a contract, the document that proves that contract is not a “nice to have,” but a crucial part of your accountability.

Version control is crucial

For organizations working in a digital environment with Terms and Conditions (T&Cs) as the contractual basis, this ruling is a cautionary tale. It is not enough to say “the customer has accepted.” You must be able to demonstrate through strict version control which version of the terms and conditions was accepted by the customer at what time. Without this “snapshot,” you, like the bank in this case, risk being unable to comply with a request for inspection, resulting in a violation of Article 32 GDPR.

Specifically, what does this mean for your organization?

The impact of this decision extends beyond the banking sector. Any company that processes personal data under contract must consider the following action points:

• Digitize paper archives: Don't rely on mere physical storage. The loss of a paper contract due to human error or disaster is a violation of the GDPR if there is no digital backup.
• Centralize evidence: Make sure the documents that substantiate your processing grounds (signed bids, contracts, statements of agreement) are immediately retrievable in the event of a review request.
• Version control of T&Cs: If you work with online ‘click-wrap’ agreements, make sure you have a foolproof system that records which version of the terms was active at the time of the click.
• Data recovery procedure: The DPA expects a structured process to attempt to recover lost data. “It's gone” is not an acceptable response without demonstrating that you have made attempts at recovery.

Frequently asked questions (FAQ)

Am I required to provide a copy of the full contract in a GDPR request?
In many cases, yes. Although the GDPR refers to copies of data, case law (including the CRIF ruling and this DPA decision) states that you must provide copies of documents if it is essential for the data subject to verify the lawfulness of the processing. A summary is then not sufficient.

Is losing a contract a violation of the GDPR if the relationship is still ongoing?
Yes. Even if you can prove the existence of the cooperation in other ways (e.g. through invoices), the loss of the contract itself constitutes a breach of the security obligation (Art. 32 GDPR) and the principle of integrity (Art. 5.1.f GDPR). You must be able to securely retain the documents that justify your processing.

Should I also keep old versions of my terms and conditions?
Yes. To comply with accountability, you must be able to demonstrate the specific conditions under which a customer has had their data processed in the past. Good version control is essential to be able to present the correct information when a request for access is made.

Conclusion

This decision by the DPA reminds us that the GDPR is not just about bits and bytes, but also about proper document management. Not being able to produce a contract is not merely an administrative sloppiness, but a sanctionable breach of security obligations. For companies in Belgium, the message is clear: your archiving - digital or physical - is an integral part of your GDPR compliance.