Q&As

Handling data subject requests—if I request further identity information, when does the clock start ticking?

read titleRead full title
Published on LexisPSL on 13/11/2020

The following Risk & Compliance Q&A provides comprehensive and up to date legal information covering:

  • Handling data subject requests—if I request further identity information, when does the clock start ticking?

The General Data Protection Regulation, Regulation (EU) 2016/679 (GDPR) provides for enhanced rights for data subjects, including providing rights of access, rectification, erasure and restriction of processing, data portability and a right to object to processing, with strict time limits for complying.

Under the GDPR, you must respond to a data subject request without undue delay and in any event within one month of receipt of the request.

That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. You must inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. See Q&As: What makes a data subject access request ‘complex’?, How long do I have to comply with an access request? and How do I calculate the time limit for responding to a data subject request?

One of the first steps on receiving a data subject request should be to confirm the requester’s identity (and so avoid a data breach). There are limits to when and how you should request identity information, but if you have doubts about the identity of the person making the request, you can, within reason, ask for more information.

For more information, see Practice Note: Handling data subject requests—Identifying the person making the request and Preceden

Popular documents