GDPR Data Subject Requests
A Data Subject Request is any request by a customer, employee, supplier or anyone else you process personal data on or for. GDPR calls those parties Data Subjects and those data subjects have rights. In summary people have the right to request:
- access to their personal data
- rectification of their personal data
- restriction of the processing of their personal data;
- erasure of their personal data
- and a few more… read all about data subjects rights here.
As a general rule, you should always answer a data subject request within the shortest possible delay. We advise you to acknowledge the receipt of the request as soon as possible, and definitely within one month. Use the many templates GDPRWise has listed here in its knowledge base to make sure you respond correctly. Once you have acknowledged the receipt of the request, you can then subsequently go through the actual execution of the request.
Important to note is that the GDPR regulation does state that when the GDPR data subject requests are manifestly unfounded, excessive or repetitive you can either charge ‘a reasonable fee’ or reject it. Here are some examples to help clarify these terms:
- A manifestly unfounded request might be one that has no clear justification or purpose, or is clearly frivolous or vexatious. A request may be manifestly unfounded if the person clearly has no intention to exercise their right or if the request is malicious in intent. They may also use the request to harass an organisation, with no real purpose other than to cause disruption. The term ‘manifestly’ indicates that organisations should provide evidence which demonstrates why the request is unfounded.
- An excessive request might be one that goes beyond what is reasonably necessary to fulfill the data subject’s request. For example, if a data subject requests all of the personal data a company holds about them but provides no specific details about the data they are looking for, and the company has a large amount of data about the individual, then fulfilling such a request could be considered excessive.
- A repetitive request might be one that is made repeatedly by the same data subject. For instance, if an individual repeatedly requests access to their personal data, despite having already received it, this could be considered a repetitive request.
It’s important to note that while organizations may be allowed to charge a fee or reject requests that are deemed to be manifestly unfounded, excessive, or repetitive, they should always consider each request on a case-by-case basis and provide a justification for their decision. In other words it is not permitted to have a blanket policy for determining the acceptability of requests, you must consider each request separately.
In short these exceptions should be used with caution. GDPR Data Subject Request doesn’t give specific definitions or examples of what counts as manifestly unfounded, excessive or repetitive, and you should be able to justify your request. Ideally organizations should also ensure that they have appropriate policies and procedures in place for handling such requests, including how to determine when a request is manifestly unfounded, excessive, or repetitive.
If you struggle with GDPR, make sure to check our GDPR Knowledge Base and how to get started
Ignoring GDPR is a risky strategy for your company and although it does require some effort there are many benefits as well. Check out our knowledge base item on common objections to GDPR and how to think about those differently here. Sign up for GDPRWise right now and take advantage of the GDPR.