GDPR Data Subject Requests
A Data Subject Request is any request by a customer, employee, supplier or anyone else you process personal data on or for. GDPR calls those parties Data Subjects and those data subjects have rights. In summary people have the right to request:
- access to their personal data
- rectification of their personal data
- restriction of the processing of their personal data;
- erasure of their personal data
- and a few more… read all about data subjects rights here.
As a general rule, you should always answer a data subject request within the shortest possible delay. Therefore, we advise you to acknowledge the receipt of the request as soon as possible, and definitely within one month. Use the many templates GDPRWise has listed here in its knowledge base to make sure you respond correctly. Once you have acknowledged the receipt of the request, you can then subsequently go through the actual execution of the request.
Important to note is that the GDPR regulation does state that when the GDPR data subject requests are manifestly unfounded, excessive or repetitive you can either charge ‘a reasonable fee’ or reject it. Here are some examples to help clarify these terms:
GDPR Data Subject Requests summary
It’s important to note that while organisations may be allowed to charge a fee or reject requests that are deemed to be manifestly unfounded, excessive, or repetitive, they should always consider each request on a case-by-case basis and provide a justification for their decision. In other words, it is not permitted to have a blanket policy for determining the acceptability of requests, you must consider each request separately.
In short, these exceptions should be used with caution. GDPR Data Subject Request doesn’t give specific definitions or examples of what counts as manifestly unfounded, excessive or repetitive, and you should be able to justify your request. Ideally organisations should also ensure that they have appropriate policies and procedures in place for handling such requests, including how to determine when a request is manifestly unfounded, excessive, or repetitive.
If you struggle with GDPR, make sure to check our GDPR Knowledge Base and how to get started.
Ignoring GDPR is a risky strategy for your company and although it does require some effort there are many benefits as well. Check out our knowledge base item on common objections to GDPR and how to think about those differently here. Sign up for GDPRWise right now and take advantage of the GDPR.