What is a Data Subject Rights Request?

The GDPR provides individuals with a number of rights in relation to how their personal data is collected and processed by organisations. The GDPR does not require individuals to take specified action to make a request; requests could be made by email, verbally, by filling in a form etc. and so it is vital staff are aware of what rights individuals have and what to do if they receive a request.

Under GDPR individuals have the right to:

  • be informed of what personal data an organisation collects and uses
  • access and receive a copy of the personal data which an organisation holds on them
  • have inaccurate personal data rectified, or completed if it is incomplete
  • have their personal data erased
  • request the restriction or suppression of their personal data (limiting what an organisation can do with the data)
  • receive or have their personal data transferred to a third party in a structured, commonly used and machine-readable format
  • object to the processing of their personal data
  • not be subjected to a decision based solely on automated processing which produces legal or similar effects

If an organisation receives a data subject rights request from an individual, they must respond to the request without delay and at the latest within one calendar month. The information an organisation provides to individuals must be concise, transparent, intelligible, easily accessible, and it must use clear and plain language.

The key to responding to data subject rights requests in an effective, timely way is to have a clear procedure which staff can follow and to train those involved in responding so that they know what to do as soon as a request is received. The procedure should deal with the response itself and other relevant issues such as identifying the requestor, clarifying a request and extending time limits where this is relevant.

The rights are not absolute. Some are only triggered in certain circumstances and in some limited circumstances you can refuse to comply with a request; again, an established procedure will help staff to consider whether the right is triggered and whether the organisation must comply with the request or not.

If you would like more information on the rights an individual has or need support responding to data subject rights requests, then please contact us here.



Don't just take our word for it