One day it happens: a customer, applicant or colleague asks what data you hold on them, or wants it changed or deleted. That is a privacy request, and the GDPR gives people the right to make one. You do not have to resolve it legally yourself, but you do have to recognise it and pass it on properly. This article explains those rights and what you do when such a request reaches you.
Data subjects' rights, briefly
The GDPR gives people several rights over their own data. The main ones you meet in practice:
- Access: someone may ask what data you hold on them and what you use it for.
- Rectification: if data is wrong, someone may ask you to correct it.
- Erasure: in certain cases someone may ask to have their data deleted (the "right to be forgotten").
- Objection: someone may object to certain uses of their data.
- Portability: in some cases someone may receive their data in a reusable form.
How do you recognise a privacy request?
A privacy request rarely arrives neatly labelled "GDPR request". It may be an ordinary email ("can you delete my data?"), a remark on the phone, or a question via a contact form or social media.
That is exactly why recognition matters. As soon as someone asks something about their own data, what you hold, whether it can go, whether it is correct, it is a privacy request, even if they never use the word.
What do you do when it reaches you?
The most important thing: do not try to handle it yourself, but pass it straight to the right person. In most organisations that is the data protection officer, the privacy officer or a central point of contact. They know which steps and deadlines apply.
Why pass it on rather than do it yourself? Because a privacy request comes with legal requirements and deadlines. An organisation must in principle respond within one month, and must first verify the requester's identity. So never release data yourself, however friendly the request sounds.
The pitfall: releasing data to the wrong person
A privacy request can also be an attack method. A fraudster poses as a customer and asks for "all my data", hoping a helpful employee will send it without checking. That way the right of access is abused to capture data.
That is why identity verification belongs with every request, and passing it to the right team is not bureaucracy but protection. Treat a request seriously and carefully: seriously because it is a right, carefully because you do not simply hand data to a stranger.
A simple step plan
When you receive a privacy request, follow these steps:
- Recognise it: is the question about someone's own data? Then it is a privacy request.
- Do not release any data yourself and do not confirm details.
- Pass it straight to the privacy officer or central point of contact.
- Note the date and content, so the deadline runs from the right moment.
- Unsure whether it is a request? Treat it as one to be safe and check.
How to embed this in your awareness programme
Many employees do not know that an ordinary question can be a privacy request. In your programme, make concrete what such a request looks like, and above all make clear that passing it on is the right reflex, not solving it yourself.
Combine that with one known reporting route. The clearer where a request should go, the smaller the chance that someone hands data to the wrong person out of helpfulness.
Related articles
FAQ
Should I handle a privacy request myself?
No. Pass it straight to the data protection officer, the privacy officer or the central point of contact. A request carries legal deadlines and identity checks that they handle correctly.
Within what deadline must an organisation respond?
In principle within one month of receipt. For complex or numerous requests this may be extended, but the requester must be told. That is why the moment of receipt counts, so note it down.
What if I doubt someone is who they claim to be?
Then do not release any data. Identity verification belongs with every request; fraudsters abuse the right of access precisely to obtain data. Pass the request on so the right team can verify.
Does a request via social media or phone also count?
Yes. A privacy request has no required form; it can come by email, phone, form or social media. As soon as someone asks about their own data, treat it as a request and pass it on.
Can someone always demand erasure of their data?
Not always. The right to erasure applies in certain cases, but sometimes an organisation must or may keep data, for example because of a legal retention obligation. The privacy officer assesses this case by case.