The GDPR gives people control over their own personal data. That control is set out in a number of data subject rights. For employees it is important to recognise these rights, because a request may arrive by email, by letter or even by phone. Knowing what is at play means responding correctly and on time.
Which rights exist?
Among others, the GDPR grants data subjects these rights:
- Right of access: to know which data an organisation holds about them, and receive a copy.
- Right to rectification: to have incorrect data corrected or completed.
- Right to erasure: to have data deleted, also known as the 'right to be forgotten'.
- Right to restriction: to have processing temporarily paused.
- Right to data portability: to receive data in a usable format to transfer it.
- Right to object: to object to a processing activity, such as direct marketing.
What a request means for you
You need not handle a request yourself, but you must recognise it and pass it on. Someone asking "what data do you hold about me?" or "delete my data" is effectively making a GDPR request, even without citing the law.
The clock starts as soon as the organisation receives the request. As a rule there must be a response within a month. Forwarding to the person responsible for privacy or the central contact point is therefore time-critical.
Not every right is absolute
The rights have exceptions. The right to erasure, for instance, does not apply where there is a legal retention obligation, such as financial records. And access must not harm the privacy of others.
So you do not have to judge on the spot whether a request is granted; the responsible person does that. Your role is to recognise, record and pass it on.
How to handle it correctly
A few practical habits:
- Recognise a request, even when phrased informally.
- Forward it immediately to the privacy officer or contact point.
- Do not verify the requester's identity yourself in an unsafe way; let the proper process handle that.
- Never release data on a phone request without verification.
How to embed this in your awareness programme
Requests arrive with people in customer contact; train recognising and forwarding, not handling them yourself.
- Aim this module at front office, customer service and reception.
- Practise recognising an informal request and the correct forwarding route.
- Make the reporting route and the one-month deadline visible in work instructions.
- Offer depth via our course catalogue.
Related articles
- What is the GDPR? The basics in plain language
- Recognising personal data: what counts and what doesn't?
FAQ
What rights do people have under the GDPR?
Among others access, rectification, erasure, restriction of processing, data portability and objection. Together they give people control over their own personal data.
What should I do if I receive a GDPR request?
Recognise it, even when informal, and forward it immediately to the person responsible for privacy or the central contact point. Do not handle it yourself and do not release data without verification via the proper process.
Within what time must a request be answered?
As a rule within a month of receipt. That period may be extended in complex cases, but you must say so. Forwarding quickly is therefore important.
Does the right to erasure always apply?
No. It does not apply where, for example, a legal retention obligation exists, such as financial data, or where the data is needed for a legal claim. The responsible person decides whether a request is granted.
May I provide data on a phone request?
Not without the identity being safely verified through the proper process. Otherwise you risk giving data to the wrong person, which is itself a data breach.