Data Subject Requests: 5 Steps to ensure compliance

Let's start with an insightful fact: The European General Data Protection Regulation (GDPR) does not protect data as an end in itself. Its purpose is to protect the fundamental rights and freedoms of natural persons with regard to the processing of personal data. This distinction matters when dealing with data subject requests. 

The most common case is the right of natural persons to access information. According to Art. 15 GDPR, they may ask an organization at any time whether, what, and how something is being done with their personal data.

From a legal perspective, this gives rise to an interesting area of conflict: it is not just a matter of printed information or digitally stored data records. The right to information is much closer to individuals and means that they have the right to request confirmation from the controllers as to whether personal data concerning them is being processed. 

This makes responding to data subject requests a time-consuming task that must be solved on an individual case-by-case basis. Many organizations are often overwhelmed on how to deal with a data subject request in a legally compliant manner.

As always in data protection management, an efficient process is the indispensable foundation. This also applies to the handling of data subject requests. It is therefore important to provide those who make use of Art. 15 GDPR with an overview of the processes that affect them in a timely fashion. This requires a clear overview and a structured, transparent knowledge base – and, of course, clear data protection processes in the background to ensure smooth handling. 

A well-defined process also helps organizations prepare for regulatory audits and supervisory authority reviews. Data protection authorities are increasingly focusing on how organizations handle data subject requests, particularly access requests under Art. 15 GDPR.

Organizations that lack clear responsibilities, documented workflows, or reliable deadline tracking may face difficulties in demonstrating compliance. By contrast, those with structured processes, complete documentation, and consistent response practices are better positioned to respond confidently to authority inquiries and audits.

In addition to the right of access, the European General Data Protection Regulation recognizes other data subject rights. These jointly form a catalog of rights that extends from Art. 15 to Art. 22 GDPR:

• Article 15 – Right of access by the data subject
• Art. 16 – Right to rectification
• Art. 17 – Right to erasure (the so-called "right to be forgotten")
• Art. 18 – Right to restriction of processing
• Art. 20 – Right to data portability
• Art. 21 – Right to object
• Art. 22 – Right not to be subject to automated decision-making in individual cases, including profiling

Art. 19 GDPR is not included in the above list. Strictly speaking, this article does not concern the rights of data subjects. In fact, it is legally established here that organizations have a duty to provide information regarding the correction or deletion of personal data. On the other hand, this obligation to provide information gives rise to a corresponding right to information for data subjects.

Data subjects may assert their right to information at any time free of charge – an informal request, for example by email or letter to the responsible organization, is sufficient. In theory, a verbal request by telephone is also possible. In any case, the response to a data subject's request should be concise, transparent, and comprehensible to the requester. Those who are specifically affected by the processing of their personal data may be sensitive to the issue. That is why tact and sensitivity are always required when dealing with data subjects' rights. After all, organizations also present themselves to the outside world through the information they provide. Transparent and friendly communication, in addition to clear information is therefore part of an organization’s successful reputation management.

Responding to a data subject request in a formally correct, competent, and detailed manner is easier than you might think, provided you follow a few important steps. Our follow-along guide provides a structured overview of how data protection experts can provide information to requesters while remaining on the safe side (legally).

Data protection officers are not usually the first point of contact for requesters within an organization. Therefore, the data subject request must first be forwarded to the data protection expert. To ensure that every data subject request reliably reaches the data protection officer, it is helpful to set up a central email address to which all data subject requests are sent. This address should be checked regularly to ensure that no requests are overlooked. 

In addition, it is important to regularly train all employees on how to handle data subject requests. All employees should always know what such a request looks like and to whom it must be forwarded. 

Clear internal guidelines and procedures describing the exact handling of data subject requests should be documented in an easily accessible internal manual or process guide. An automated ticket system can also help to forward every incoming request to the data protection team immediately. To ensure the effectiveness of these measures, it is recommended to review these processes on a regular basis.

Correctly verifying the requester’s identity is essential. The controller must ensure that personal data is not disclosed to an unauthorized person. If there are reasonable doubts about the requester’s identity, additional information may be requested to confirm it.

The verification method should be proportionate to the context and sensitivity of the data. In many cases, verification through an existing customer account, an established communication channel or secure authentication may be sufficient. More intrusive methods should only be used where necessary.

It is important to carefully consider how to best verify the identity of the data subject in order to ensure that the response actually reaches only the data subject. In many cases, it is advisable to consult the data protection officer to determine the appropriate process. Data protection-friendly alternatives could include, for example, a personal visit or notarization, depending on the scope and sensitivity of the requested data. It is advisable to involve the data protection officer in this process to ensure that the chosen method is both secure in terms of data protection law, while at the same time user-friendly.

To ensure that the departments are effectively involved and that legal deadlines are met, clear responsibilities and accountabilities should be defined. Each department should know exactly what information and data it is required to provide. Documented processes and clear workflows that describe the flow of data subject requests from collection to response are essential at this stage. Regular meetings or updates with the involved departments help to monitor the status of requests and identify potential bottlenecks. A monitoring and reporting system also helps to monitor compliance with deadlines.

Once the above-mentioned tasks have been completed, it is necessary to determine the extent to which the requester's personal information is involved in the organization's processing activities. We recommend taking a close look at the record of processing activities (RoPA), which should be thoroughly maintained. Depending on the individual case, the department responsible for the processing activity and its team members may also be consulted during the information gathering. First, however, the data subject must be clearly identified within the existing data sets.

Once all processing activities and data sets relating to the requester have been collected, a clear list is drawn up for the person requesting their data. Under Art. 15(3) GDPR, the controller must provide a copy of the personal data undergoing processing. However, the response should be reviewed to ensure that the rights and freedoms of others are not adversely affected. Depending on the request, the following information may also be relevant:

• The nature and purpose of processing
• The categories of personal data
• The recipients to whom the personal data or categories thereof have been disclosed
• The duration of data storage

In addition, requesters must be informed of their right to correct or delete personal data concerning them. Depending on the scope, it may be necessary to perform the necessary changes to the database, which must be carried out immediately.

Once the reply has been drafted, it should be promptly sent to the requester. The entire process should be carefully documented at the end.

When sending the response, data security should be a priority. The appropriate transmission method depends on the sensitivity and volume of the personal data involved. Options may include encrypted email, password-protected files with separate password transmission, registered mail or a secure online portal.

For sensitive or extensive responses, a secure data room or authenticated portal is often preferable to unprotected email attachments.

The professional handling of data subject requests is of utmost importance, as behind every request are real people with a legitimate interest. Providing accurate and comprehensive information is essential to fulfill your GDPR duties.

This is particularly relevant in light of the current reviews of numerous companies by the European Data Protection Board. In addition, companies benefit when notification obligations are fulfilled in a timely and competent manner.

A fast, friendly, and comprehensive response to a data subject's request can help to satisfy a potentially unsettled or angry individual and positively influence their image of the company. This clearly shows that data protection is not only a legal issue, but also has a significant impact on an organization’s reputation.

Good documentation and lean processes make it clear that data protection creates security and trust in a brand or company, provided there is a well-designed data protection management system in place.

caralegal helps privacy teams manage data subject requests in a structured, traceable and secure way — from intake via web form or API to task assignment, deadline tracking, departmental input and secure provision of response documents through a protected data room.

See how caralegal supports GDPR-compliant request handling and reduces manual coordination across departments.

Discover caralegal for data subject requests