Data Subject Request and the GDPR – the ultimate short guide

Blog
Oliver Fich
Do you know what to do the day your company receives a Data Subject Request? Do you have a reliable process for responding within the 1-month deadline? Avoid GDPR headaches and use this Ultimate Short Guide to solving a Data Subject Request.
Table of Contents

The clock starts ticking the moment the Data Subject Request hits your inbox.

1 month. Tick tock.

Within that time frame, you must respond to a person’s request for his or her data.

Access, deletion, modification, or any other of the rights given to the person about personal data under the GDPR.

What do you do? Where do you start? Seems hopeless? It’s not.

Let’s look at what a Data Subject Request is, and how you respond to it within 1 month.

Do you want to avoid GDPR fines and bad PR? Then this is your guide.

What is a Data Subject Request under the GDPR?

A Data Subject Request is a request made by a person to a business or organization (like you!) asking for information about them that has been processed, such as personal data.

In more formal terms, it’s a request from a data subject to a data controller about personal data held by the controller or a third party.

Who’s who – definitions under the GDPR:

  • Data subject – any person who can be identified using personal data.
  • Data controller – anyone who decides when, why, and how to process a subject’s personal data.
  • Personal data – any information that can identify a person (or combined with other data) can be used to identify a person.

Your business is typically the Data Controller.

You collect, hold, and may also use the data for some purpose.

The data subject can be anyone, for example:

  • Your customers, prospects, or leads.
  • Business partners and collaborators.
  • Current or past employees.
  • Users of your website or app.
  • Anyone who your business processes data about.

Personal data can refer to any data of a person that your business holds, that can lead to the identification of the person.

From the obvious:

  • Name
  • Phone number
  • Address
  • Social security number
  • Images

To more sensitive personal information:

  • Health records
  • Religious views
  • Sexual orientation
  • Political viewpoints

To the more abstract:

  • IP address
  • Device ID
  • Cookie ID
  • Geolocation
  • Profiling data

Now, the General Data Protection Regulation (GDPR) is set to give EU citizens control over their personal data.

That means, a person can request access to his or her data (data subject access request), have it modified, or be forgotten.

Let’s look at what rights every EU citizen has when it comes to the data you may hold about them.

8 data subject rights your business must be able to meet

The General Data Protection Regulation (GDPR) grants citizens 8 data subject rights which allows them to get access to, modify, and delete personal data that your business holds about them.

Now, your client, partner or ex-employee, can all come to you and ask you to do something specific with their personal data. And they have this right protected under the GDPR.

Let’s take a closer look at the 8 data subject rights your business must be able to meet.

People are given 8 data subject rights in the GDPR

1. The right to be informed (article 13 – GDPR)

Anyone has the right to know what personal data your business collects about them:

  • What data do you store about them?
  • Why?
  • How long do you store the data?
  • Who do you share the data with?
  • How can they request access to it?

As the data controller, you must always be able to provide information on:

  • Your identity and contact details (as the controller).
  • The purposes of data processing.
  • The legal basis of data processing.
  • Information about third-party processors.
  • How long you store the data (retention period).
  • The data subject’s rights (under GDPR).
  • How to file a complaint.
  • Whether the provision of personal data is a statutory or contractual requirement.
  • The existence of automated decision-making, including profiling.

All this information must be clearly and plainly made available.

2. The right of access (article 15 - GDPR)

People have the right to access personal data that your business may hold about them.

When a person submits a Data Subject Access Request (DSAR) to your company, you are obligated to provide them with a copy of the personal data you have about them.

This includes:

  • What the purpose of data processing is.
  • What categories of data you process.
  • Who you share the data with (third parties/organizations)
  • How long you keep the data.
  • How the person may exercise his or her GDPR rights (right to erasure, rectification, etc.).
  • How the person files a complaint.
  • Wherefrom you got the data (source).
  • The existence of automated decision-making, including profiling.

3. The right of rectification (article 16 – GDPR)

The right to rectification simply means that any person has the right to ask your business to update any incorrect or missing information about them.

It’s important to be aware that you have one month to correct or update incorrect data.

4. The right to erasure/The right to be forgotten (article 17 – GDPR)

Any person has the right to be forgotten by your company. This is called the right to erasure. A person may ask your company for their personal data to be deleted if:

  • There is no longer a necessary purpose for you to keep the data.
  • The person withdraws his or her consent.
  • Data has been unlawfully processed.
  • The person objects to processing.
  • The personal data must be erased to comply with EU or national law.

The right only applies to data collected at the time of the request.

Can you reject a Data Subject Request for the right to erasure?

Yes, if processing is necessary:

  • To practice freedom of expression.
  • To comply with a legal obligation.
  • For reasons of public interest or official authority.
  • For reasons of archiving public interest, scientific research, statistical purposes, or historical purposes.
  • Establishment, exercise, or defense of legal claims.

That means you must comply with a Data Subject Request for deletion of data unless you can prove that the request falls under these circumstances.

5. The right to restrict processing (article 18 - GDPR)

Any individual can request that you limit the way you use or process his or her data. You are not obligated to delete the data, but simply to stop processing it.

When the data is restricted, you cannot process it any further unless the person consents to let you process it again.

6. The right to data portability (article 20 – GDPR)

Data portability simply means that a person has the right to have his or her data provided by the controller (you) in a structured, machine-readable format, that can be transferred to another data controller.

The right only applies to data that:

  • Is held electronically
  • Has been provided to you by the person.
  • Has been given with consent.

It can also be:

  • Website data or search history.
  • Traffic and location data.
  • Raw data from smart meters/wearables (e.g., fitness apps).

7. The right to object to processing (article 21 - GDPR)

People always have the right to object to processing personal data. This allows people to stop or prevent you from processing their personal data.

This also includes data processing for:

  • Public interest.
  • An exercise of official authority.
  • Legitimate interest.
  • Direct marketing.

What is personal data when used for direct marketing purposes?

A person can also object to the processing of their personal data for the use of direct marketing.

This includes any data used for profiling.

It does not mean you have to erase the data, but simply, to stop processing it.

8. The right in relation to automated decision-making and profiling (article 21 – GDPR)

Any person has the right to object to automated decision-making and profiling.

Automated individual decision-making refers to decisions made by computers (automated) without any human involvement.

This can be (but not limited to):

  • Automated decisions about loans.
  • Recruitment assessments.
  • Programmatic advertising.

Automated individual decision-making does not have to involve profiling, although it often will.

The right to object to automated decision-making only applies to data given with consent.

What information are you obligated to provide in a Data Subject Request?

It all depends on what type of request your data subject, I.e., the person requesting data is making.

First of all, you must confirm that you process their personal data.

Then take action according to which type of Data Subject Request, the person makes. 

If it is a Data Subject Access Request (DSAR), you are obligated to provide a copy of the person’s personal data.

This also includes:

  • The purpose of personal data processing.
  • Which third parties you are sharing data with.
  • The categories of personal data you process and hold about the person.
  • Where the data comes from (source).
  • How long you keep the data (retention period).
  • Information about automated decision-making and profiling.
  • Information about the person’s rights (GDPR).

For other types of Data Subject Requests, e.g., ‘object to processing’ or ‘to be forgotten’, make sure you find the person’s data and carry out the request.

How do you find personal data in your systems?

It can be a real hassle to find a person’s personal data in your systems.

The data can be scattered all over mail programs, HR platforms, payroll systems, your website, and other places the person may have interacted with.

Finding all that personal data yourself is time-consuming.

Social security numbers, addresses and phone numbers may be easy, but how can you identify a person among hundreds or thousands of photos in your databases?

That’s why you automate a Data Subject Request!

Yes, you let the computer automatically find the requested data. And display it in one central place.

Then you can sit back and be rest assured that you’ll meet the strict deadlines of responding to a request (1 month).

Cookie Information’s Data Subject Request automates any request you may receive about personal data.

Let’s look at an example:

Tiffany used to work at your company. Now she requests her data to be deleted. That is, all personal data your company has stored about her over the years. Social security number, payroll information, bank account details, phone number, images with Tiffany in them etc. Tiffany is simply exercising her right to be forgotten. 

You now have 1 month to comply with this request.

Instead of going through thousands of files, folders, old emails, and pictures from the company Christmas party, you let the machine handle the request. Automatically.

Cookie Information’s Data Subject Request handles the request, and finds Tiffany’s personal data within the systems you have integrated (Outlook, HubSpot, Teams, Gmail, etc.).

Her personal data is then displayed for you on the platform and you can now act upon it.

You meet Tiffany’s request to delete her data within the 1-month period. Job done.

Avoid GDPR fines and bad PR. Cookie Information handles your Data Subject Requests. Quickly, cost-efficiently, and securely.

Data Subject Request

Respond to a Data Subject Request within the required 1-month period without going through thousands of files and folders yourself. Automate your DSR processes.  

I want to know more

FAQ

  • What happens if I don’t respond to a Data Subject Request or are in violation of data subject rights?

Then the data subject can file a complaint with the national Data Protection Authority.

  • Who should respond to a Data Subject Request within my organization?

Depending on your organization’s size and structure, it is usually the job of the DPO (Data Protection Officer), a compliance manager or a representative from your legal department that will handle a Data Subject Request.

  • How long do I have to respond to a Data Subject Request?

According to article 12(3), the data controller (you) has 1 month to respond to and comply with a Data Subject Request.

The deadline may be extended by two months if the request is complex or your business has received multiple requests from the same person. The person making the request must be properly notified about the extension.

  • Can I charge a fee for responding to a Data Subject Request?

You may not charge a fee unless the request is:

  • Unfounded
  • Excessive

The fee in this case is intended to cover administrative costs and must never be made for profit.

  • Can I refuse a Data Subject Request?

Only under certain conditions can you refuse a Data Subject Request.

You must provide the data subject with a reason for refusing, how the person can complain to the Data Protection Authority and which legal actions he or she may take