GDPR Request: How to Handle Data Subject Rights Properly
Learn what a GDPR request is, the types of data subject requests you must handle, legal deadlines, and how to build a compliant response process.
A GDPR request is a formal exercise of an individual's data protection rights under the General Data Protection Regulation. When someone asks your organisation to provide a copy of their personal data, correct inaccurate records, or delete their information entirely, they are making a GDPR request. Handling these requests correctly is not optional. Failure to respond within legal deadlines can result in regulatory complaints, supervisory authority investigations, and fines of up to 20 million EUR or 4% of annual global turnover.
This guide walks through every type of GDPR request, the legal framework governing each one, response deadlines, and how to build a process that keeps your organisation compliant. This is educational content, not legal advice. Consult a qualified attorney for guidance specific to your situation.
What Is a GDPR Request?
A GDPR request, often called a Data Subject Access Request (DSAR) or data subject rights request, is any communication from an individual exercising one or more of the rights granted by Chapter III of the GDPR. These rights apply to any person whose personal data your organisation processes, regardless of whether they are a customer, employee, website visitor, or member of the public.
The GDPR does not require requests to follow a specific format. A GDPR request can arrive by email, through a web form, by post, in person, or even verbally. There is no requirement for the individual to cite specific articles of the GDPR or use particular language. If the intent is clear, the request is valid.
Organisations that process personal data of EU and EEA residents must have systems in place to receive, verify, process, and respond to GDPR requests within the deadlines set by the regulation. The one-month response deadline under Article 12(3) begins when the request is received, not when it is assigned to someone internally.
Types of GDPR Requests You Must Handle
The GDPR establishes eight distinct data subject rights. Each creates a corresponding type of request with its own requirements and exceptions.
Right of Access (Article 15)
The most common GDPR request type. The individual has the right to obtain confirmation of whether their personal data is being processed and, if so, a copy of that data along with supplementary information including:
- The purposes of processing
- The categories of personal data concerned
- The recipients or categories of recipients to whom data has been disclosed
- The envisaged retention period or the criteria used to determine it
- The existence of the right to request rectification, erasure, restriction, or to object
- The right to lodge a complaint with a supervisory authority
- Where data was not collected directly from the individual, the source of the data
- The existence of any automated decision-making, including profiling
The first copy must be provided free of charge. For additional copies, Article 15(3) allows a reasonable fee based on administrative costs.
Right to Rectification (Article 16)
Individuals can request the correction of inaccurate personal data or the completion of incomplete data. This request requires prompt action, and the organisation must inform any recipients to whom the data was disclosed about the rectification, unless doing so proves impossible or involves disproportionate effort (Article 19).
Right to Erasure (Article 17)
Commonly called the "right to be forgotten," this GDPR request type requires the organisation to delete personal data without undue delay when:
- The data is no longer necessary for its original purpose
- The individual withdraws consent and no other legal basis applies
- The individual objects to processing and no overriding legitimate grounds exist
- The data was processed unlawfully
- Erasure is required to comply with a legal obligation
- The data was collected in relation to the offer of information society services to a child
Important exceptions exist under Article 17(3). Erasure does not apply when processing is necessary for exercising freedom of expression, complying with a legal obligation, public health purposes, archiving in the public interest, or the establishment, exercise, or defence of legal claims.
Right to Restriction (Article 18)
Individuals can request that processing be restricted (effectively frozen) in four situations: when accuracy is contested, when processing is unlawful but the individual prefers restriction over erasure, when the organisation no longer needs the data but the individual requires it for legal claims, or when the individual has objected to processing pending verification of legitimate grounds.
Restricted data may only be stored. Any other processing requires the data subject's consent or must relate to legal claims, the protection of another person's rights, or important public interest.
Right to Data Portability (Article 20)
This GDPR request allows individuals to receive their personal data in a structured, commonly used, and machine-readable format (typically JSON or CSV). It applies only when processing is based on consent or contract and is carried out by automated means. The individual can also request that the data be transmitted directly to another controller where technically feasible.
Right to Object (Article 21)
Individuals can object to processing based on legitimate interest (Article 6(1)(f)) or public interest (Article 6(1)(e)) at any time. The organisation must stop processing unless it demonstrates compelling legitimate grounds that override the individual's interests. For direct marketing purposes, the right to object is absolute, with no grounds required and no exceptions.
Rights Related to Automated Decision-Making (Article 22)
Individuals have the right not to be subject to decisions based solely on automated processing, including profiling, that produce legal effects or similarly significant effects. Exceptions exist for contractual necessity, legal authorisation, or explicit consent, but even then the organisation must implement suitable safeguards including the right to human intervention.
Right to Information (Articles 13 and 14)
While technically a proactive obligation rather than a request-based right, individuals can demand the information that Articles 13 and 14 require. This includes the identity of the controller, processing purposes, legal basis, data retention periods, and information about international transfers.
GDPR Request Response Deadlines
Meeting the deadlines for GDPR requests is one of the most scrutinised compliance areas. Supervisory authorities consistently cite delayed responses as grounds for enforcement action.
The standard timeline under Article 12(3):
- One calendar month from receipt of the request for most GDPR request types
- Extension of up to two additional months when requests are complex or when the organisation receives a large number of requests from the same individual. The data subject must be informed of the extension and the reasons within the original one-month window.
- 72 hours is not a GDPR request deadline but applies to breach notification under Article 33. This is a common source of confusion.
The clock starts when the request is received by any part of the organisation. If an access request arrives at a general customer service email on a Friday, the deadline runs from that Friday, not from Monday when someone reads it, or from the following week when it reaches the privacy team.
If the organisation needs additional information to verify the requester's identity under Article 12(6), the deadline is paused until the identity is confirmed. However, the request for verification must be made promptly.
How to Build a GDPR Request Handling Process
Organisations need a structured, documented process for handling GDPR requests. Ad hoc responses lead to missed deadlines, inconsistent treatment, and compliance failures.
Step 1: Create a Clear Intake Channel
Make it easy for individuals to submit GDPR requests. Best practices include:
- A dedicated email address (such as [email protected]) that is monitored regularly
- A web form on your website's privacy page
- Clear instructions in your privacy policy about how to exercise data subject rights
- Training for customer-facing staff to recognise and escalate GDPR requests received through other channels
The channel must be accessible. Requiring individuals to create an account, call a phone number during limited hours, or send a notarised letter creates unnecessary barriers that supervisory authorities view unfavourably.
Step 2: Log and Acknowledge Immediately
Every GDPR request should be logged in a tracking system the moment it is received. Record:
- Date and time of receipt
- Channel through which it was received
- Type of request (access, erasure, rectification, etc.)
- Identity of the requester
- Deadline for response
Send an acknowledgement to the requester confirming receipt. While not strictly required by the GDPR, an acknowledgement demonstrates good faith and reduces the likelihood of complaints or duplicate requests.
Step 3: Verify the Requester's Identity
Before disclosing personal data or taking action on a GDPR request, confirm that the person making the request is who they claim to be. Article 12(6) permits this verification step.
The level of verification should be proportionate. For a customer logged into their account requesting their own data, the existing authentication may suffice. For a request from an unknown email address, you might ask for a copy of government-issued ID or answers to security questions.
Never use the verification step as a tactic to delay or discourage legitimate requests. Supervisory authorities have penalised organisations that imposed excessive identification requirements.
Step 4: Locate All Relevant Data
For access and portability requests, you need to identify every system, database, backup, and third-party processor that holds the requester's personal data. This is where many organisations struggle, particularly those with data spread across multiple platforms, CRM systems, email marketing tools, analytics services, and cloud storage.
Privacy Policy Generator
Create a comprehensive privacy policy for your website or app. Create yours in minutes with TermsBox.
Generate NowMaintaining a current data inventory or record of processing activities (Article 30) makes this step significantly faster. If you do not have one, building it should be a priority.
Step 5: Prepare the Response
The response format depends on the request type:
- Access requests: Provide a copy of all personal data along with the supplementary information required by Article 15. Common formats include PDF, CSV, or structured JSON. The data must be provided in a concise, transparent, intelligible, and easily accessible form, using clear and plain language (Article 12(1)).
- Erasure requests: Delete the data from all systems, including backups where feasible, and confirm deletion to the requester. Notify any third parties to whom the data was disclosed (Article 17(2)).
- Rectification requests: Correct the data and confirm the correction. Notify recipients of the change (Article 19).
- Objection requests: Cease the processing activity unless you can demonstrate compelling legitimate grounds under Article 21(1).
Step 6: Respond Within the Deadline
Deliver the response before the one-month deadline expires. If an extension is needed, communicate this to the requester with clear reasons before the initial month ends. Document everything: the response sent, the date, the method of delivery, and any supporting decisions about exemptions or extensions.
Handling Difficult GDPR Requests
Not every GDPR request is straightforward. Several common scenarios require careful judgement.
Excessive or Repetitive Requests
Article 12(5) permits organisations to charge a reasonable fee or refuse to act on requests that are "manifestly unfounded or excessive." The burden of proof lies with the organisation, and the threshold is high. Submitting the same access request every month, with no change in circumstances, could qualify. Submitting a single detailed access request does not, even if complying is time-consuming.
Requests Involving Third-Party Data
An access request might return data that includes personal data of other individuals. Article 15(4) states that the right to obtain a copy shall not adversely affect the rights and freedoms of others. Redact third-party personal data before providing the response, unless the third parties have consented.
Requests from Employee Representatives
Employees can submit GDPR requests about their employment data. They can also authorise a representative, such as a solicitor or trade union, to act on their behalf. Verify the authorisation, then process the request as you would any other.
Requests That Conflict with Legal Obligations
If complying with an erasure request would prevent you from meeting a legal obligation (such as retaining financial records for tax purposes), Article 17(3)(b) provides an exemption. Document the legal obligation, inform the requester of the specific exemption, and retain only the data necessary for that obligation.
GDPR Request Compliance for Websites
Websites collect personal data through forms, cookies, analytics tools, and third-party integrations. Website operators face specific considerations when handling GDPR requests.
Your privacy policy must clearly explain how individuals can submit GDPR requests. Article 13(2)(b) requires you to inform data subjects about the right to request access, rectification, erasure, restriction, portability, and the right to object. Using a privacy policy generator that covers these rights helps ensure nothing is omitted.
Cookie consent is closely related to GDPR requests. When a user withdraws consent for cookies, you must stop the relevant processing. This is functionally equivalent to an objection under Article 21. Your cookie policy should explain this relationship and describe how withdrawal is handled technically.
For website operators managing compliance across multiple data collection points, automated tools reduce the risk of missing requests or breaching deadlines. TermsBox provides a compliance scanner that identifies data collection points across your website, making it easier to locate all personal data when responding to access or portability requests.
Penalties for Mishandling GDPR Requests
Supervisory authorities take GDPR request violations seriously. Failures in this area consistently rank among the most common grounds for enforcement action across EU member states.
The GDPR provides for two tiers of administrative fines:
- Article 83(5): Violations of data subject rights (Chapter III) can attract fines of up to 20 million EUR or 4% of annual global turnover, whichever is higher.
- Article 83(4): Violations of controller and processor obligations, including failure to maintain records of processing activities that support GDPR request handling, can result in fines of up to 10 million EUR or 2% of annual global turnover.
Real enforcement examples illustrate the risk:
- The Swedish Data Protection Authority fined a company for failing to respond to an erasure request within the required timeframe
- The Spanish AEPD has issued multiple fines for inadequate responses to access requests, including cases where the organisation provided incomplete data
- The Dutch Autoriteit Persoonsgegevens fined an organisation for requiring excessive identification to process a straightforward access request
- The ICO in the UK has issued reprimands and enforcement notices for systematic failures to respond to subject access requests on time
Beyond fines, individuals who suffer material or non-material damage from GDPR request mishandling have the right to compensation under Article 82. Class action mechanisms in several member states have made collective claims increasingly common.
GDPR Request Documentation and Record-Keeping
Maintaining detailed records of every GDPR request and your response is essential for demonstrating compliance under the accountability principle (Article 5(2)).
For each request, document:
- The original request as received
- The date of receipt and the calculated response deadline
- Identity verification steps taken and their outcome
- Internal communications about the request
- Systems searched and data located
- The response provided, including any data copies or confirmation of action taken
- The date the response was delivered
- Any exemptions relied upon, with the legal basis for each
- Extension notices, if applicable
Retain these records for at least three years. While the GDPR does not specify a retention period for request records, the limitation period for administrative proceedings in most EU jurisdictions makes three years a reasonable minimum. Some organisations retain them for five years to align with general statute of limitations periods.
A well-documented GDPR request log also reveals patterns that inform broader compliance improvements. If you consistently receive erasure requests related to a specific data processing activity, that activity may warrant a review of its legal basis or necessity.
Frequently Asked Questions
What is a GDPR request?
A GDPR request is any formal exercise of data subject rights under the General Data Protection Regulation. This includes requests for access to personal data (Article 15), rectification of inaccurate data (Article 16), erasure of data (Article 17), restriction of processing (Article 18), data portability (Article 20), and objection to processing (Article 21). Organisations must respond to most GDPR requests within one calendar month.
How long do you have to respond to a GDPR request?
Article 12(3) of the GDPR requires organisations to respond to data subject requests without undue delay and within one calendar month of receiving the request. This deadline can be extended by a further two months where requests are complex or numerous, but the organisation must inform the data subject of the extension and the reasons for it within the initial one-month period.
Can you refuse a GDPR request?
Yes, but only in limited circumstances. Article 12(5) allows organisations to refuse requests that are manifestly unfounded or excessive, particularly where they are repetitive. The organisation bears the burden of demonstrating that the request is unfounded or excessive. Specific rights also have lawful exceptions. For example, the right to erasure under Article 17(3) does not apply when processing is necessary for exercising the right of freedom of expression, for compliance with a legal obligation, or for the establishment, exercise, or defence of legal claims.
Do you need to verify identity before responding to a GDPR request?
Yes. Article 12(6) of the GDPR allows organisations to request additional information necessary to confirm the identity of the data subject when they have reasonable doubts. Verification is critical to prevent unauthorised disclosure of personal data to the wrong person. However, the verification process must be proportionate and must not be used to delay or obstruct legitimate requests.