The General Data Protection Regulation (GDPR) redefines the relationship between organizations that process personal data and the individuals whose data is being processed (data subjects). One of the most dramatic ways the GDPR does this is by creating the right for data subjects to make privacy requests regarding their personal data.

These data subject requests (DSRs) can cause considerable stress for organizations for a number of reasons: They involve direct interaction with consumers (who may report them for non-compliance), they must be completed within a time limit, there are numerous exceptions, and they require advance planning. However, with some preparation as part of a wider GDPR-compliance strategy, handling DSRs can become a routine and relatively painless task.

Frequently Asked Questions about Data Subject Requests

1. What are the Different Types of Data Subject Requests?

The GDPR creates are six types of data subject requests:

• Access request - Data subjects can obtain a copy of the personal data a controller has about them.

• Deletion request - Also called an erasure request. A controller must delete the personal data it has about the data subject, with a few exceptions.

• Request to correct inaccuracies - If a controller has inaccurate personal data about a data subject, it must correct those inaccuracies upon request.

• Objection to processing - Data subjects can object to the use of their personal data for direct marketing, such as promotional emails or targeted advertising, at which point the controller must cease the direct marketing. They can also object to the processing of their data under certain lawful bases, including legitimate interests. The controller then has the burden of demonstrating compelling legitimate grounds for the processing that override the privacy interests of the data subject.

• Request to limit processing - There are some situations where a data subject may request the controller to restrict its processing of their personal data to simple storage. These situations include: where the accuracy of the data is being contested, where the data subject has objected to the processing, and where the controller no longer needs the data but the data subject wants it retained for a legal claim.

• Opt-out of automated decision-making - If a controller engages in automated decision-making that produces legal or similarly significant effects for the data subject, including profiling, the data subject can request human intervention.

2. Controllers & Processors: Who Has to Respond to a DSR?

Data controllers determine the purposes and means of processing personal data, while data processors only process personal data on behalf of a controller. Generally speaking, only the controller is responsible for responding to a data subject request, though processors must provide assistance (e.g., by deleting the relevant data or giving the controller a copy).

3. What Is the Time Limit for Responding to a DSR?

Controllers must complete a data subject request within one calendar month from the day they receive it. This period may be extended by two further months when necessary, taking into account the complexity and number of the requests. The data subject must be informed of this extension within the first month after receiving the request, along with an explanation for the delay.

4. Must We Verify the Requester’s Identity?

A controller should take reasonable and proportionate measures to verify a requester’s identity, especially before providing them access to personal data. If the controller already has other verification measures in place, such as a username and password, this will often suffice; if the personal data at issue is particularly sensitive or high-risk, other verification may be appropriate. However, verification should not be used to discourage data subjects from making requests. For example, if the requester wishes to opt out of direct marketing, the controller should not require proof of identity because there is no risk of harm. The time taken to verify the data subject’s identity does not pause the one-month time limit for responding.

5. Can We Contact a Data Subject to Clarify Their Request?

Yes, a controller may contact the data subject about their DSR. For example, if a data subject makes a general access request, the controller may ask them if they are seeking any type of information in particular. However, the controller should bear in mind that the data subject is under no obligation to narrow their request, and the one-month time limit still progresses during the clarification process.

6. Can We Charge a Fee for a Data Subject Request?

Generally, you may not charge a fee for responding to a data subject request. There are two exceptions to this rule:

• If the request is manifestly unfounded or excessive
• If the data subject requests more copies of their data following a request

If one of these exceptions applies, the controller may charge a reasonable fee related to their own cost of responding to the request.

7. Do We Need a Data Protection Officer to Handle Requests?

A data protection officer (DPO) monitors their organization’s privacy compliance, and should be the point person for handling data subject requests. However, not all organizations under the GDPR’s jurisdiction are required to have a DPO. A DPO must be appointed if any of these three factors apply:

• The processing is carried out by a public authority or body
• The core activities of the controller or the processor consist of processing operations which require regular and systematic monitoring of data subjects on a large scale
• The core activities of the controller or the processor consist of processing on a large scale of special categories of data and personal data relating to criminal convictions and offenses

Even if you are not required to appoint a DPO, it is still a good practice to designate at least one person to oversee your organization’s privacy efforts.

‍