Data Subject Requests


Topics Covered

This subject covers the following topics:

  • understanding the data subject request, and your organisation’s obligation to respond;

  • reviewing an example data subject request; and

  • understanding data subject rights.

Example of a Data Subject Request from a Former Customer

Here’s a condensed example of a data subject request, with parts written by Constantine Karbaliotis, Director of Managed Privacy Services at PricewaterhouseCoopers. How would you respond to this type of query?

Dear Acme,

As a former customer, I am writing to you in your capacity as the data protection officer. Please receive this request to access my personal data pursuant to Article 15 of the GDPR. To be straightforward, the data protection practices at your company may be exposing my personal information to undue risk; in fact, from my observation while being onsite, the lack of sufficient safeguards has compromised your obligation to protect my personal information.

Accordingly, I am initiating this Data Subject Access Request and am including documentation necessary to verify my identity. Please be aware that I anticipate a reply to my request within one month as required under Article 12, failing which I will be forwarding my inquiry with a letter of complaint to the appropriate supervisory authority.

  • Personal Data Discovery. Please confirm to me whether or not my personal data is being processed. If it is, please provide me with the categories of personal data you have about me in your files and databases.

    1. In particular, please tell me what you know about me in your information systems, whether or not contained in databases, and including e-mail, documents on your networks, or voice or other media that you may store.

    2. Additionally, please advise me in which countries my personal data is stored, or accessible from. In case you make use of cloud services to store or process my data, please include the countries in which the servers are located where my data are or were (in the past 12 months) stored.

    3. Please provide me with a copy of, or access to, my personal data that you have or are processing.

  • Personal Data Disclosure. Please provide me with a detailed accounting of the specific uses that you have made, are making, or will be making of my personal data.

  • Third Parties. Please provide a list of all third parties with whom you have shared my personal data.

    1. If you cannot identify with certainty the specific third parties to whom you have disclosed my personal data, please provide a list of third parties to whom you may have disclosed my personal data.

    2. Please also identify which jurisdictions that you have identified in 1(b) above that these third parties with whom you have or may have shared my personal data, from which these third parties have stored or can access my personal data. Please also provide insight in the legal grounds for transferring my personal data to these jurisdictions. Where you have done so, or are doing so, on the basis of appropriate safeguards, please provide a copy.

    3. Additionally, I would like to know what safeguards have been put in place in relation to these third parties that you have identified in relation to the transfer of my personal data.

  • Data Retention Policy. Please advise how long you store my personal data, and if retention is based upon the category of personal data, please identify how long each category is retained.

  • Sources of PII. If you are additionally collecting personal data about me from any source other than me, please provide me with all information about that source, as referred to in Article 14 of the GDPR.

  • Automated Decisions. If you are making automated decisions about me, including profiling, whether or not on the basis of Article 22 of the GDPR, please provide me with information concerning the basis for the logic in making such automated decisions, and the significance and consequences of such processing.

  • Data Breaches. I would like to know whether or not my personal data has been disclosed inadvertently by your company in the past, or as a result of a security or privacy breach.

    1. If so, please advise as to the following details of each and any such breach:
    ○  a general description of what occurred;
    ○  the date and time of the breach (or the best possible estimate);
    ○  the date and time the breach was discovered;
    ○  the source of the breach (either your own organisation, or a third party to whom you have transferred my personal data);
    ○  details of my personal data that was disclosed;
    ○  your company’s assessment of the risk of harm to myself, as a result of the breach;
    ○  a description of the measures taken or that will be taken to prevent further unauthorized access to my personal data;
    ○  contact information so that I can obtain more information and assistance in relation to such a breach, and
    information and advice on what I can do to protect myself against any harms, including identity theft and fraud.

    2. If you are not able to state with any certainty whether such an exposure has taken place, through the use of appropriate technologies, please advise what mitigating steps you have taken, such as:
    ○  Encryption of my personal data;
    ○  Data minimization strategies; or,
    ○  Anonymization or pseudonymization;
    ○  Any other means.

I am looking forward to your reply in thirty days or earlier as required under Article 12.

Sincerely, your former customer.

While this is one type of data subject request, more lengthy detailed requests are possible to receive. This section aims to provide guidance so that Data Subject Request policies and procedures are written in advance, and that information is organised in a way that makes it possible to respond accurately and confidently when these requests appear.

So could you handle a Data Subject Request like the one above?

Understanding Data Subjects and Their Rights

Your business collects and utilises data that is regulated by various laws around the world, including personal data regarding prospective customers, active customers, past customers, employees and contractors. All-of-the-above are “data subjects” according to data protection nomenclature. While the data protection rights may vary by territory (for example, the rights of data subjects in California compared to Brazil compared to Switzerland compared to the EEA, etc.), there are similarities between them all. Since the EU’s GDPR provides an excellent and recent benchmark for data subject rights, we will use that as our example.

The Rights of a Data Subject Request Inquirer

The following rights are guaranteed to data subjects, and your business must be prepared to respond timely when it receives a data subject request.

  • Right to access personal data (Article 15).

  • Right to rectification (Article 16).

  • Right to erasure (Article 17).

  • Right to restrict data processing (Article 18).

  • Right to be notified (Article 19).

  • Right to data portability (Article 20).

  • Right to object (Article 21).

  • Right to reject automated decision-making (Article 22).

You may receive a request from a customer, employee, etc. asking questions to any area above, including:

  • Can I see a copy of all the data you have about me?

  • I’d like to change information that I believe is inaccurate.

  • I’d like to request to have aspects of my data erased.

  • Please stop processing messages using MailChimp, etc.

  • I’d like a copy of my data in a compatible, portable manner I can use.

  • I’d like to object to the type of processing you are performing.

The following provides more information about the rights of data subject that your business may encounter.

Article 15: Right to Access Personal Data

Your business customers, past and present, have the right to access the data collected on them by a data controller; your business is termed the data controller. You have thirty days to respect to the request per Article 15.

Article 16: Right to Rectification

Your business customers have the right to request modification of data under warranted situation, such as to correct errors and to update incomplete information.

Article 17: Right to Erasure

Also referred to as the right to be forgotten, the right to erasure empowers your business customers to prohibit the processing of their data and request their personal data be erased.

Article 18: Right to Restrict Data Processing

Your business customers, under specific conditions, can direct that all processing of their personal data be stopped. After all, it’s their data.

Article 19: Right to be Notified

Your business customers must be informed about how their information is being used; the information must be stated clearly and transparently. Your business customers must be informed about any rectification or erasure of their information per articles 16, 17, and 18.

Article 20: Right to Data Portability

When requested, you must permit your business customers to obtain and reuse their personal data for their own purposes across different services. This will allow them to move, copy or transfer personal data easily from one system to another without affecting its usability.

Article 21: Right to Object

When your business customers prohibits their data from being processed, and you as the data controller reject this directive, the data subject has the right to further object per Article 18.

Article 22: Right to Reject to Automated Decision-Making

Your business customers have the right to refuse to permit their data to be subject to automated processing in order to make decisions about them if that significantly affects the data subject or produces legal results. This is also referred to as profiling.

A Brief Recap Before You Leave

  • A data subject is someone who you have collected data from (customers, contractors, employees, etc.).
  • Data subjects have rights that allow them to submit a request that must be timely fulfilled.
  • A data subject request (DSR) needs to be something you're ready to receive. You need to be able to respond timely (within 30 days), accurately, and confidently. That's why it's important to develop procedures and policies in advance.
  • Data protection rights may vary by territory, though different laws are still compatible.



    We know there was a lot of information mentioned above. If you would like assistance with what you've read and want to put it into practice, feel free to contact us and we can discuss further details.

    Person Waving.png