What is a Data Subject Request?

Under the GDPR, people have the right to know what information your organization holds about them. This right can be exerted through a data subject request. But how does your organization handle them? Here we’ll give you the run-down of how it works.
Table of Contents

Companies and organizations collect and process increasing amounts of data. Especially about people. 

In your data inventory, you’ll most likely find data on former employees, customers, leads, or other people who are – or have been – registered in your database at some point.

One of the things that the GDPR set out to do, was to grant EU citizens increased control over their data. Under the GDPR, individuals have the right to know what information your organization holds about them.

That means people have the right to submit a data subject request to your organization.

But what is a data subject request really?

What is a data subject request?

The GDPR grants EU citizens 8 data subject rights – one of those being the right of access. This allows any individual (the data subject) to get access to whatever data any given organization holds about them.

The right of access is not a wholly new concept, but the GDPR has widened the scope of this right. The GDPR has made it easier for people to submit data subject requests and imposed new mandatory categories of information that organizations are obligated to provide.

When your organization is addressed with a data subject request you are obligated to provide a copy of all the personal data you store on the data subject including:

  • What data your organization holds about them.
  • Why your organization holds this information.
  • How the information is used.
  • Which third parties the data is shared with.
  • Categories of data.
  • Sources of data.
  • Data retention period.
  • Information about their GDPR rights.

Can anyone submit a data subject request?

Pretty much.

Anyone whose data is held by an organization can submit a data subject request. You don’t even have to provide any specific reason for submitting your request.

Even though anyone can submit a data subject request at any time, there are instances where organizations can refuse to comply with the request:

  • The request is unfounded.
  • The request is too excessive.

How does a person submit a data subject request?

A data subject request can be submitted in writing or verbally, through any channel, to any person inside an organization. No formal paperwork or lawyers required.

A data subject request doesn’t even have to be addressed as such or mention GDPR specifically.

For this reason, organizations must familiarize themselves with data subject rights, so they can recognize data subject requests and take appropriate action.

How should you respond to a data subject request?

Upon receiving a data subject request, you should verify the identity of the individual who requests access.

According to Recital 64 of the GDPR, you should use “all reasonable measures” to verify the identity of the data subject.

What does this mean in plain English?

Well, it means that you should be mindful of the information you request to identify the data subject. Don’t ask for more than what is reasonably necessary for you to verify the identity of the individual.

For example, don’t ask for formal identification documents. Instead, you could verify the data subject’s identity via email or photo identification.

Is there a deadline for responding to data subject requests?


Upon receiving the data subject request, your organization is required to respond within one month.

There are instances where the deadline can be extended. The deadline may be extended by two months if:

  • The request is complex.
  • The individual has submitted several requests to the organization.

If you do choose to extend the deadline, you should always notify the individual within the initial one-month deadline.

Can we choose not to respond?

Of course. But that would probably be ill-advised.

And in most cases, you should expect a visit from local data protection authorities.

As we mentioned above, certain exemptions can be applied to complying with a data subject request.

If you do decide not to comply, it is in your best interest to make sure that the exemptions apply to the case at hand and that you can defend the decision to the data protection authorities.

Furthermore, you are obligated to notify the individual of your reasons for refusing to comply and inform them of their rights to file a complaint to the data protection authorities.

Should you worry about data subject requests?

That depends.

Data subject requests are very common. It is the request that organizations receive most frequently. If you’re betting on not having one addressed to your organization, you should probably reconsider.

But as long as you comply with – or appropriately dismiss – data subject requests, you have nothing to worry about.

What you should worry about, or at least consider, is whether or not your compliance program is geared towards handling data subject requests efficiently.

Data subject requests can technically be submitted in any form of communication. E-mail, over the phone, by letter, through social media, verbally, or through a form on a website.

That’s a lot of channels to keep track of.

And when the requests come in, who responds to them?

No matter who’s in charge of compliance, data subject requests need to be brought to attention.

That leaves a lot of room for human error.

Maybe the person receiving a data subject request doesn’t recognize it, they might forget to notify the correct employee or maybe it just falls through the cracks.

Not ideal.

Even when requests are handled correctly, responding to data subject requests can take up a lot of time. Especially if you don’t have a clear overview of your data inventory.

How do you solve these issues?

One word: automation.

By investing in a tool that automates your compliance program, you can manage data subject requests more efficiently and decrease the risk of requests being overlooked or ignored.

That way you can spend less time managing data subject requests while you stay compliant and transparent.

Where might I find such a tool?

Right here at Cookie Information.

With Data Subject Request by Cookie Information, you can easily manage all your incoming access requests.

No more lost or overlooked requests, as the software notifies you when you receive a new data subject request. The interface gives you a clear overview of all data subject requests.

All in one place!

Let Cookie Information take care of all the hard work of finding the personal data of the data subject.

Our software automatically responds to incoming requests and shares the list of identified data with the data subject.

Data Subject Request

Respond to a Data Subject Request within the required 1-month period without going through thousands of files and folders yourself. Automate your DSR processes.