Compliance with Data Subject Request – Template
When you receive any data request it is VERY IMPORTANT to make sure who the request comes from. If there is any doubt that the request comes from the right person, you need to verify the identity of the person on the other end of the conversation. Only once you are satisfied about the identity, you should carry out the request.
If you receive the request via an email address that is known to your administration as that person’s usual email address, you can assume that the request is valid. This also applies if you have a website or application where the user logs in to submit a request. But what if the request comes by letter, via an unknown e-mail address or even verbally?
In that case, you cannot simply refuse to comply with the request, but you must make a reasonable effort to confirm the identity. There are no exact rules about how to do this, but we can give you some tips.
We start with the most important tip: do not ask for a copy of the identity card! It is often thought that the best way to verify identity is a copy of the ID card. Various data protection authorities have already ruled that requesting the ID card introduces privacy challenges and goes too far. Several authorities have already handed out serious fines for it. So really try to avoid this.
What can you do?
- If you have a personal phone number, call the person and ask if the request is actually from them
- Email a confirmation link or code to the usual email address. If the requestor accepts this, you will have confirmation.
- Make an appointment in person or via online video call so you can see who is making the request.
- Send a letter by regular mail to the person’s home address and ask them to email or call you. That letter should contain a code that the caller must repeat.
- Confirm the identity with information that only the person in question can know, such as the answer to a secret question
As mentioned, there are no hard and fast rules, but always ask yourself whether the way you verify is appropriate and is not going too far.
Once you have selected the most appropriate way of confirming the identity of the requestor, you can adapt the template below to respond to the requestor.
Free GDPR Template – text example as a first response
We have received your request concerning your personal data. We thank you for reaching out to us. This helps us to keep our company in line with GDPR.
We need to make absolutely sure you sent this request to us. We do not want to risk giving your data to someone else or compromising your data in any way.
If you have not personally made a requested concerning your data please let us know.
Should you have personally made the request, we need to verify your identity.
[INSERT HERE YOUR IDENTITY VERIFICATION METHOD]
We will then process your request as soon as we have confirmed your identity.
Check other useful GDPR Templates
The GDPRWise App – our GDPR compliance software solution
Listing of processing activities for over 30+ sectors is available, the hard work has been done for you, you just need to refine and validate where needed.
As a GDPR Software Provider we strive to provide simple and effective compliance solutions in the GDPR domain.