Handling data subject requests
Handling data subject requests

The following Risk & Compliance guidance note provides comprehensive and up to date legal information covering:

  • Handling data subject requests
  • Identifying a data subject request
  • Initial steps
  • Identifying the person making the request
  • Time limits
  • Dealing with unfounded or excessive requests
  • Identifying the data that the request relates to
  • Identifying the data subject from the data held
  • Dealing with third-party data
  • Exemptions and exclusions
  • more

Brexit: As of exit day (31 January 2020), the UK is no longer an EU Member State, but it has entered an implementation period during which it continues to be treated by the EU as a Member State for many purposes. The UK must continue to adhere to its obligations under EU law, including in relation to data protection, and the ICO has confirmed the GDPR will continue to apply during the implementation period. For more information, see: Practice Note: Brexit—implications for data protection.

Individuals have a number of rights in respect of their personal data under the General Data Protection Regulation (GDPR) Regulation (EU) 2016/679:

  1. a right of access

  2. rights to rectification, erasure and restriction of processing

  3. a right of data portability

  4. a right to object to processing

  5. a right not to be subject to a decision based solely on automated processing, including profiling

A data subject can make a request to a data controller to exercise one or more of these rights at any time. They do not need to explain their reasons for making a request and there are strict time limits for complying. Responding to a data subject request can be onerous for a data controller and in most cases you cannot charge the data subject for complying with their request.

With this in mind, it is essential to put