Understanding and Initiating GDPR Data Protection Requests

Table of Contents

Description

What is it?

A Data Protection Request, also known as a GDPR Subject Access Request, is a request made by individuals to companies or service providers for details of the personal data held about them. The request helps them understand how and why their data is being used, helping ensure compliance with the General Data Protection Regulation (GDPR).

Who needs it?

Any individual who has interacted with businesses, especially those in the European Union, and who believe that these companies hold personal data about them, have the right to make this request.

Procedure

  1. Identify the company or organization which you believe has your data.
  2. Write a formal request. This can be an email, clearly stating that you are making a ‘Subject Access Request’.
  3. Include necessary details to facilitate the process. This includes identification details and any relevant dates, context or people involved.
  4. Make sure to specify that you are requesting information under the GDPR. There is no need for extensive legal jargon.
  5. Send it to the official contact of the respective organisation. This is often the Data Protection Officer (DPO) or the generic information/contact email you may find on the company’s website.
  6. Await their response. Under GDPR the company has a month to reply.

Required Documents

  • Identification details - Full name, contact information
  • Any significant details - dates, people, context - to facilitate the search for your data

Providers that can do it for you

(We are currently curating the best providers. If you are or know a provider, please contact us or edit the page directly)

ProviderWebsiteTimelinesCost

Additional details

  • You can request an extension if you feel that the given time for the company to reply is not enough.
  • If the company fails to respond in time or you feel you have been unfairly denied, you can file complaints with the local supervisory authority.
  • Street Photography: Recent discussions on GDPR and Street Photography have led to confusion on legality. While broadly, GDPR does not explicitly outlaw street photography, cases where individuals can be identified might lead to complications. It is recommended to be aware of the local laws of the country.

Contribute

Improve this article by using the contact form or editing it through our open-source GitHub repository: tramitit/guides