There is a deadline for responding to and fulfilling a right that data subjects have under the GDPR. In the GDPR, there are eight (8) fundamental rights that data subjects have. Companies shall inform about the rights and put in place organisational and technical measures to be able to meet them. When a data subject wishes to have a right fulfilled, the company may need to identify the data subject. For example, if the person has created an account with an email address but requests to have their personal data deleted from another email address. In such cases, the company may need to prove the data subject’s identity. Please note that this does not mean that the company can request any information, since it must be proportionate.
Deadline for responding to and fulfilling a right under the GDPR
Companies shall deal with a request to exercise a right from a data subject as soon as possible. However, this must be done within one month of the company receiving the request. The definition of a month in this case is the same date the next month after the company receives the request. For example, if they receive a request on 15/8 2024, the deadline expires on 15/9 2024. In some cases, the end date may be one day during the weekend or public holiday, and in such cases the deadline expires the next working day instead.
Possibility to extend the deadline
It is possible, in certain cases, to extend the time limit for dealing with a request from a data subject. However, it must be justified. A company can extend the deadline by an additional two months if, for example, they have received a large number of requests at the same time or it relates to a complex request. Please note that the company must inform the data subject of the extended deadline and include the justification within the first month.
Establish internal procedures, templates and checklists
In order to be able to fulfil the data subjects’ rights under the GDPR and to do so within the deadline, the company should establish internal procedures on how employees who receive a request should proceed. In addition, it is good to have ready-made response templates to make sure that all the necessary information is clear. This also saves employees time and makes the process smoother.
After a company has fulfilled a right upon request, the company shall inform the data subject thereof. For example, if a person requests a company to delete all personal data about them. The company shall inform the data subject after they have deleted the personal data.