The GDPR provides data subjects with a number of rights under data protection law that require a response from the respective company. But how quickly do you as a company actually have to respond to a request from a data subject?
What are the data subject rights?
The so-called data subject rights are regulated in Art. 15 to 22 DSGVO. According to these, every natural person whose data has been processed has the right to information, correction, deletion, restriction of processing, data portability and objection. In addition, there is the right to be subjected to a decision not based exclusively on automated processing.
The data subject can claim the rights of the data subject against the person responsible.
What is the deadline?
According to Art. 12 III GDPR, the controller, against whom the data subject may assert these rights, must respond to a request "without undue delay and in any event within one month of receipt of the request".
Among lawyers, "without delay" means "without culpable hesitation" (Section 121 I BGB). This means that the responsible party does not always have a whole month to react. The period of one month is rather a maximum period. If a reaction is possible within a shorter period, it must also be made then. In practice, of course, this is difficult to prove. Therefore, in practice, it usually comes down to the one-month period.
An exception applies only in the case of Art. 12 III GDPR. If it is necessary, taking into account the complexity and the number of requests, the time limit may be extended. However, the controller must also inform the data subject about this and state the reasons.
When does the time limit start to run?
The time limit starts to run when the data subject's request is received by the data controller. For this purpose, the data subject must use an official channel of the controller, so that the controller also has the opportunity to become directly aware of the request. However, even if the data controller does not become directly aware of a request received, the time limit runs from receipt.
As the person responsible, it is therefore important to always keep an eye on the relevant channels.
Who may receive information?
The data subject rights of the GDPR are highly personal rights. Therefore, information may also only be issued to the data subject himself.
Under stricter conditions, an authorized person may also be entitled.
The controller is always obliged to identify the data subject before providing him with information. If the controller has to make further inquiries for identification first because the information provided in the request is not sufficient for this, the time limit does not start until the controller has identified the person for certain. In this regard, the data subject does not have a statutory time limit within which he or she must respond to an identification request. If an answer is not forthcoming, it is advisable for the person responsible to send a reminder afterwards.
In the meantime, it has almost become a business model that requests are made that are not even aimed at the information itself. Rather, the individuals hope that the responsible party will make a mistake during processing so that they can then sue for damages. For data controllers, it is therefore all the more important to be able to prove that the response to data subject inquiries complies with the law.
Do you have questions about data protection issues such as data subject rights or need help implementing data protection requirements? Our team of experts will be happy to help you. Contact us here!