Data subject requests under the GDPR. Why is it essential to respond to them correctly and on time?

According to the GDPR – General Data Protection Regulation – residents of the European Union (“EU”) can send requests regarding their data to all legal and natural persons who process it. Those requests most often relate to the right of access, i.e. obtaining a copy of personal data and specific information about the nature of its processing, such as the length of time it is stored.

Other common types of requests include the right to have information deleted or corrected if it is inaccurate. The complete list of rights under the GDPR that EU residents can exercise includes the following:

• the right of access;
• the right to rectification;
• the right to erasure (“the right to be forgotten”);
• the right to restrict processing;
• the right to data portability;
• the right to object;
• the right not to be subject to a decision based solely on automated processing.

If you process data from EU residents, you must understand the types of requests you may receive from data subjects and how to respond to them. In general, you should consider the following when responding to requests from data subjects:

• the request may be submitted in any form (e-mail, written, oral) and by any means;
• the response to the request should be concise, transparent and easily accessible, clear and understandable – in other words, no bureaucratic language or style should be used in the communication;
• as a general rule, a response must be provided promptly and within one month from the date of receiving the request (however, in cases where multiple requests are received or the requests are complex, the response time may be extended for an additional two months);
• in the event of a delay in responding to a request, it is necessary to report the existence of the delay and its reasons within one month from receiving the request;
• if you do not fulfill the requested action (for instance, due to exceptions under the GDPR), it is essential to provide the reasons for not taking action within one month of receiving the request;
• generally, responses or taking any necessary actions should be provided free of charge unless the requests are deemed unjustified or excessive.

Failure to comply with these requirements may lead to a complaint being made against you with a supervisory authority. Such complaints can result in financial penalties and damage to the reputation. However, achieving full GDPR compliance in practice may be more challenging than anticipated, as requests can be misplaced, sent to incorrect email addresses, or other processing issues may arise.

Below we provide examples of decisions by the Italian supervisory authority concerning inappropriate responses to requests from data subjects, which resulted in fines being imposed on data controllers. They show what you may encounter in practice when dealing with requests and how to avoid penalties.

Delay in processing a data subject’s request due to an error

For example, the Italian supervisory authority fined a postal operator ten thousand euros for responding to a request after the deadline and without explaining the reasons for the delay – not within one month, as generally required by the GDPR, but just over three months later.

The cause of the delay was due to an error made by the operator responsible for processing the request. The operator mistakenly entered an incorrect processing time and failed to request the additional information needed to process the request. Unfortunately, it took three months for the post office to recognise the delay and accept the application for processing. It was too late when the necessary information was requested and provided to the applicant, as a complaint had already been lodged with the supervisory authority.

Even though the delay was caused by a simple mistake, the supervisory authority found that there had been a violation of the response deadlines and a failure to provide notification of the delay. As a result, a fine was imposed.

It is, therefore, essential to recognise that negligence can lead to cases being investigated by the supervisory authorities. To ensure accurate and error-free responses to data subject requests, the data controller must maintain a well-trained support team aware of response deadlines. In addition, keeping an up-to-date register of requests from data subjects, carefully recording essential details such as the date of receipt, its content, response time, etc., and carrying out regular checks can help prevent such situations.

The decision, in Italian, is available on the DPA website.

Ignoring a person’s request that is not sent to the company’s official mail or head office

In another case, the Italian supervisory authority fined a company for ignoring an individual’s request to delete their data. The individual had submitted a request to the department of the organization where they had volunteered to resign and have their personal data deleted. Although the company acknowledged the individual’s resignation from the organization in a letter sent a month later, it failed to act on the request to delete the data. As a result, a complaint was lodged with a supervisory authority.

Following intervention by the supervisory authority, the company eventually clarified that the retention of the individual’s data after their departure was deemed necessary to meet the organization’s financial and accounting obligations. In response to the complaint, the company argued that the individual had been properly informed of the data deletion deadlines during the initial recruitment process. The company also denied that the request was reasonable because it was not:

• addressed to the data controller/Data Protection Officer (“DPO”), but to the management of the organization from which the individual was leaving;
• sent to the designated email address but was delivered in person to an off-site location of the company.

However, the supervisory authority acknowledged that the company had received the request and was fully aware of it, as evidenced by its response to the applicant’s dismissal. Therefore, the company failed to give due consideration to the request to delete the data. As a result, it was fined ten thousand euros.

This case highlights the importance of understanding that it is not enough to inform an individual of the data deletion schedule at the beginning of the relationship. Once a request is received, it is imperative to respond promptly and appropriately, regardless of any prior information provided to the applicant.

Furthermore, it is essential to note that the GDPR does not provide a specific request format or instructions for where it should be submitted. In other words, requests can take different forms (electronic, written or even oral). They can be filed through various channels, such as the designated email address, support service, and central or peripheral units of an organization. All such requests must be processed and responded to accordingly.

The decision in Italian is available on the supervisory authority’s website.

 Receiving notifications after deletion of personal data

In the third case, the data subject asked the organization to delete their personal data. They were sent two formal responses confirming that the data had been deleted. However, despite this confirmation, the applicant continued to receive SMS messages from the company about its vacancies.

In response, the company stated that the requests had been sent to the wrong email address, namely an employee’s email address rather than the organization’s, and therefore the data was not deleted by mistake.

After carefully considering the case, the supervisory authority pointed out that the request had indeed been sent to the employee’s email address and that the requester had received two replies from that particular email. The authority emphasized that an avoidable mistake cannot be used as a valid excuse to dodge liability.

In line with previous cases, the company was fined ten thousand euros for failing to respond to the request and for processing data without a valid legal basis after receiving the request.

Therefore, when a request to delete data is received, it is crucial to ensure that the information is not only removed from the company’s records but also from any mailing list. If the individual continues to receive emails after the data has been deleted, this will constitute a breach of the GDPR.

The decision in Italian is available on the supervisory authority’s website.

To avoid mistakes and potential fines when managing GDPR requests, it is essential to have a comprehensive understanding of the GDPR requirements. Equally important is having a well-trained team that can effectively respond to data subject requests, or direct them to the appropriate department. Developing the necessary documentation, such as a procedure for responding to requests and maintaining a designated register, is also crucial. Having a specialized person, such as a DPO, to deal with these matters can therefore be very beneficial.

At Legal IT Group we offer a range of services to assist you with processing data subject requests –  from training your team to providing DPO services.