Handling data subject requests
Handling data subject requests

The following Risk & Compliance guidance note provides comprehensive and up to date legal information covering:

  • Handling data subject requests
  • Identifying a data subject request
  • Initial steps
  • Identifying the person making the request
  • Time limits
  • Dealing with unfounded or excessive requests
  • Identifying the data that the request relates to
  • Identifying the data subject from the data held
  • Dealing with third-party data
  • Exemptions and exclusions
  • more

Individuals have a number of rights in respect of their personal data under the General Data Protection Regulation (GDPR) Regulation (EU) 2016/679:

  1. a right of access

  2. rights to rectification, erasure and restriction of processing

  3. a right of data portability

  4. a right to object to processing

  5. a right not to be subject to a decision based solely on automated processing, including profiling

A data subject can make a request to a data controller to exercise one or more of these rights at any time. They do not need to explain their reasons for making a request and there are strict time limits for complying. Responding to a data subject request can be onerous for a data controller and in most cases you cannot charge the data subject for complying with their request.

With this in mind, it is essential to put in place appropriate systems and controls to manage the process of handling data subject requests, to make the process as efficient as possible and minimise the risk of non-compliance. This Practice Note considers some common features of data subject requests, issues that can arise when handling a request and compliance strategies to best equip your organisation to manage any requests it receives.

For more information on the criteria for individual data subject rights, please refer to the relevant Practice Notes and Flowcharts: