A short guidance note explaining the GDPR obligations on businesses with regard to rights requests made by individuals and including links to a template Individual Rights Policy and Covering Letter.

What does the law require?

The GDPR builds on and expands certain rights which individuals have under existing data protection law (such as “subject access” rights) and introduces some new rights (such as the right to “data portability”). In summary, the GDPR provides the following rights for individuals:

  1. The rights of access and data portability;
  2. The right to rectification;
  3. The right to erasure;
  4. The rights to object and/or to restrict processing; and
  5. Rights in relation to automated decision making and profiling.

Agencies are generally not allowed to charge for complying with an individual rights request. Requests must also be handled within a month. It is worth noting that agencies can refuse or charge for requests that are manifestly unfounded or excessive. However, if you refuse a request, you must tell the individual why and that they have the right to complain to the ICO and to seek a judicial remedy.

What do you actually need to do?

You will need to check your procedures and determine how you would respond if someone were to make an individual rights request. You should consider whether you need to revise your procedures and make any changes. In particular, you should analyse whether your agency’s systems are able to locate specific personal data and, for example, delete it or anonymise it if necessary.

If your agency does not have any policies in this area, it is important that they are created and periodically reviewed and updated as necessary to ensure they are effective and meet your agency’s requirements. It is also important that the policies are actually implemented within your agency. The relevant personnel must be actively made aware of the policies, trained on the requirements, and required to comply with them.

It is also important to note that the rights referred to above can only be exercised against your agency when your agency is acting as the “data controller” as opposed to the “data processor”. Where your agency is acting as a “data processor”, your agency is not under a direct legal obligation to comply with a rights request - there is, however, a legal requirement for your agency to include in your contracts with clients an obligation to assist the client with the client’s obligations to respond to individual rights requests. It is therefore important to be aware of the requirements nonetheless so you have a better understanding of the client’s likely needs and expectations.

How can the IPA help?

The IPA has produced a template Individual Rights Policy for agencies to use as part of the development and rolling-out of your agency’s own internal data protection policies and procedures. The Individual Rights Policy explains in more detail what an individual rights request is and sets out the steps that should be followed in the event your agency receives a rights request.

The IPA has also produced a template covering letter for agencies to use when responding to access requests to ensure that the required information under the GDPR is provided to the requestor for these types of request. The template covering letter is also referred to in the Individual Rights Policy.

Please note that the Individual Rights Policy is intended as an example and to be used as a starting point only. It is not intended to be comprehensive or a finalised policy and will not, by itself, guarantee that your agency achieves full compliance with the GDPR. It is critical that you thoroughly review the Individual Rights Policy and customise it to fit your agency’s business before rolling it out internally within your agency.

The Individual Rights Policy is designed to work in conjunction with the other policies referred to in this Guidance as well as any other policies and procedures your agency may have. The Policy includes highlighted guidance notes and square bracketed words – these should be addressed and eventually removed as part of the implementation of the Policy. The Policy also includes some background guidance notes in red at the start of the document, these red notes should also be removed as part of the finalisation of the policy.

Last updated 01 May 2024