Introduction to this document

GDPR data subject rights clarification/refusal

Use our letter to respond to a data subject who has requested the erasure, rectification or restrictions on the processing of their personal data, where further information is required to identify the individual. You can also use it to ask for a fee, or to refuse to act on the request, if it’s manifestly unfounded or excessive.

Data protection rights

In addition to their right of access to their personal data, the UK GDPR grants employees and other data subjects several further rights. These include a right to request the erasure or rectification of their personal data and a right to restrict the processing of it. You must normally respond to any such request “without undue delay” and at the latest within one month of receipt of it. However, before responding to a data subject’s request, the UK GDPR says that you can use reasonable means to verify their identity. You can also ask for a fee, or refuse to act on the request, if it’s “manifestly unfounded or excessive”. This is where our GDPR Data Subject Rights Clarification/Refusal letter comes in.

Identity issues

Where you have reasonable doubts concerning the data subject’s identity, you can request them to provide such additional information necessary to confirm this before complying with their request. The first optional paragraph covers this scenario.

Unfounded or excessive requests

You must generally action the data subject’s request at your own expense. However, you can charge a reasonable fee, based on your administrative costs of taking the action, when a request is manifestly unfounded or excessive, particularly because of its repetitive character. The burden is on you to demonstrate the manifestly unfounded or excessive nature of the request. Our second optional paragraph requests a fee and sets out the various payment options. Where a request is manifestly unfounded or excessive, your other option is to refuse to act on it. Where you do this, you must, within one month of receipt of the data subject’s request, give them your written reasons for not taking any action and you must also inform them of their right to complain to the Information Commissioner’s Office or to seek a judicial remedy. Our third optional paragraph covers an outright refusal to act.

Time limits

In the case of verification of identity or request for a fee, the normal one-month time limit for responding to the request doesn’t begin to run until the data subject has verified their identity or paid the fee (as appropriate).