How to Make a GDPR Request for Information

    Need world class privacy tools?

    Schedule a Call >

    With the implementation of the General Data Protection Regulation (GDPR), individuals are now empowered to take control of their personal data. One key right provided by the GDPR is the right to request information. In this article, we will guide you through the process of making a GDPR request and provide you with essential information to ensure your request is successful.

    Understanding the GDPR

    What is the GDPR?

    The General Data Protection Regulation (GDPR) is a comprehensive data protection law that was enforced in May 2018. It aims to protect the personal data of individuals within the European Union (EU) and European Economic Area (EEA). The GDPR sets out strict data protection rules and provides individuals with greater control over their personal information.

    The GDPR was developed in response to the increasing need for stronger data protection measures. With the rapid advancement of technology and the widespread use of the internet, personal data has become a valuable commodity. The GDPR recognises the importance of safeguarding this data and ensuring that individuals’ privacy rights are respected.

    Under the GDPR, personal data is defined as any information relating to an identified or identifiable natural person. This includes not only obvious data such as names, addresses, and identification numbers, but also less obvious data such as IP addresses, cookie identifiers, and even genetic and biometric data.

    Why is GDPR Important?

    The GDPR is important as it puts individuals in control of their personal data. It ensures that organisations handle personal information responsibly and transparently. Additionally, it allows individuals to understand who has access to their data and how it is being used.

    One of the key principles of the GDPR is the concept of “data minimisation.” This means that organisations should only collect and process personal data that is necessary for a specific purpose. They must also ensure that the data is accurate and up to date. This principle helps to prevent the unnecessary collection and storage of personal data, reducing the risk of data breaches and unauthorised access.

    The GDPR also introduces the concept of “privacy by design and by default.” This means that organisations must consider data protection and privacy issues from the very beginning of any new project or system development and implement appropriate technical and organisational measures to ensure that personal data is protected throughout its lifecycle.

    Another important aspect of the GDPR is the requirement for organisations to obtain explicit consent from individuals before collecting and processing their personal data. This means that individuals must be fully informed about how their data will be used and have the option to withdraw their consent at any time.

    In addition to these measures, the GDPR also strengthens individuals’ rights in relation to their personal data. These rights include the right to access their data, the right to rectify any inaccuracies, the right to erasure (also known as the “right to be forgotten”), and the right to data portability.

    The GDPR has significantly impacted organisations worldwide, not just those based in the EU and EEA. Many companies have had to update their data protection policies and practices to ensure compliance with the new regulations. This has involved implementing stricter security measures, appointing data protection officers, and conducting regular data protection impact assessments.

    Overall, the GDPR represents a major step forward in data protection and privacy rights. It provides individuals with greater control over their personal information and holds organisations accountable for their handling of that data. By ensuring that personal data is collected and processed in a responsible and transparent manner, the GDPR helps to build trust between individuals and organisations.

    Rights Under the GDPR

    The General Data Protection Regulation (GDPR) is a comprehensive data protection law that provides individuals with certain rights regarding the processing of their personal data. These rights are designed to give individuals more control over their personal information and ensure that organisations handle their data in a fair and transparent manner.

    Right to Access

    The right to access is one of the fundamental rights under the GDPR. It allows individuals to obtain confirmation as to whether their personal data is being processed and to access the personal information held by an organisation. This right enables individuals to understand how their data is being used and to verify the lawfulness of the processing.

    When exercising this right, individuals have the right to obtain a copy of their personal data, as well as information about the purposes of the processing, the categories of personal data being processed, and the recipients or categories of recipients to whom the data has been or will be disclosed.

    Furthermore, organisations must provide individuals with any supplementary information necessary to ensure fair and transparent processing, such as the existence of automated decision-making, including profiling, and the logic involved in such decision-making.

    Right to Rectification

    The right to rectification empowers individuals to request the correction of inaccurate or incomplete personal data. If you believe that the personal information held by an organisation is incorrect or incomplete, you have the right to request the rectification of this data. This ensures that your personal data remains accurate and up to date.

    Organisations are obligated to respond to rectification requests without undue delay and must inform any third parties to whom the data has been disclosed about the rectification unless it is impossible or involves disproportionate effort.

    It is important to note that the right to rectification is not absolute and may be subject to certain limitations, such as when the accuracy of the data is contested by the individual or when the processing is necessary for the establishment, exercise, or defence of legal claims.

    Right to Erasure

    The right to erasure, also known as the right to be forgotten, allows individuals to request the deletion of their personal data. This right is not absolute and only applies in certain situations, such as when the data is no longer necessary for the purpose it was collected or if the processing is unlawful.

    There are various grounds on which an individual can request the erasure of their personal data, including withdrawing consent, objecting to the processing, or when the data has been unlawfully processed. However, the right to erasure is not applicable if the processing is necessary for compliance with a legal obligation or for the establishment, exercise, or defence of legal claims.

    When an individual exercises their right to erasure, organisations are required to take reasonable steps to inform other controllers processing the data about the erasure request and erase any links or copies of the data unless it is necessary to retain the data for certain legitimate purposes.

    It is important to note that the right to erasure is not absolute and may be subject to certain limitations, such as when the processing is necessary for the exercise of the right of freedom of expression and information, for compliance with a legal obligation, for reasons of public interest in the area of public health, or for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes.

    Preparing to Make a GDPR Request

    Making a GDPR request is an important step in exercising your rights to data protection and privacy. It allows you to gain insight into the personal data that organisations hold about you, understand how your data is being processed, and identify any recipients of your personal information. To ensure that your request is effective and focused, there are a few key steps to follow.

    Identifying the Information You Need

    Prior to making a GDPR request, it is essential to identify the specific information you require. This can include personal data that an organisation holds about you, details of the processing activities, and any recipients of your personal data. Clearly defining what you need will help ensure that your request is focused and effective.

    For example, if you suspect that an organisation has collected more personal data than necessary for the services it provides, you may want to request a list of all the personal data it holds about you and the purposes for which it is being processed. This will enable you to assess whether it is complying with the principles of data minimisation and purpose limitation.

    Alternatively, if you are concerned about the security measures in place to protect your personal data, you can request information about the technical and organisational measures implemented by the organisation to safeguard your information. This will help you determine whether they are taking appropriate steps to protect your data from unauthorised access or disclosure.

    Finding the Right Contact

    Once you have identified the information you need, your next step is to find the appropriate contact within the organisation. The GDPR requires organisations to provide contact details of their Data Protection Officer (DPO) or a designated representative. This contact will be responsible for handling GDPR requests and ensuring compliance with data protection laws.

    It is important to contact the correct contact person to ensure that your request is properly addressed and processed. The DPO or designated representative will have the knowledge and expertise to handle GDPR requests effectively and provide you with the necessary information in a timely manner.

    When contacting the organisation, it is advisable to clearly state that you are making a GDPR request and specify the nature of the information you are seeking. This will help the organisation understand the purpose of your request and enable them to respond appropriately.

    Remember, the GDPR grants you the right to access your personal data and obtain information about how it is being processed. By following these steps and making a well-defined GDPR request, you can exercise your rights and ensure that your personal data is being handled in accordance with data protection laws.

    How to Write a GDPR Request

    Writing a GDPR request can be a crucial step in exercising your rights and ensuring the protection of your personal data. By following the essential elements outlined below, you can create an effective request that increases the likelihood of receiving the information you seek.

    Essential Elements of a GDPR Request

    When writing your GDPR request, there are several essential elements you should include to ensure its effectiveness. Firstly, clearly state that you are making a GDPR request for information. This will help the recipient understand the purpose of your communication right from the start.

    Next, provide your contact details and any relevant reference numbers. Including your name, address, email, and phone number will enable the organisation to reach out to you easily. Reference numbers, if applicable, can help streamline the process and ensure that your request is handled promptly.

    Specify the information you are seeking in detail. Clearly articulate the specific data points, documents, or records you are interested in obtaining. The more precise and comprehensive your request, the better chance you have of receiving the exact information you need.

    In addition to specifying the information, it is important to indicate the timeframe for which you are requesting it. Whether you need data from a specific period or an ongoing stream of information, providing a clear timeframe will help the organisation understand the scope of your request.

    Lastly, sign and date your request. This will not only add a professional touch but also serve as evidence of when you made the request.

    Sample GDPR Request Letter

    Dear [Organisation Name],

    I am writing to request information under the General Data Protection Regulation (GDPR). I value my privacy and believe in the importance of transparency and accountability in data processing.

    Below are the essential details of my request:

    Name: [Your Name]

    Contact Details: [Your Contact Details]

    Reference Number: [Any relevant reference numbers]

    Information Requested: [Specify the information you are seeking]

    Timeframe: [Specify the timeframe for which you are requesting the information]

    I kindly request that you provide me with the requested information within 30 days from the date of this letter. As stated in Article 12(3) of the GDPR, timely responses to data subject requests are crucial in upholding the principles of fairness, transparency, and accountability.

    Should you require any further information or clarification, please do not hesitate to contact me. I am more than willing to provide any additional details that may assist in processing my request promptly and accurately.

    Thank you for your attention to this matter. I trust that you will handle my request with the utmost care and in compliance with the GDPR requirements.

    Yours sincerely,

    [Your Name]

    What to Expect After Making a GDPR Request

    Response Time for GDPR Requests

    Under the GDPR, organisations are required to respond to GDPR requests within one month of receiving them. However, this period can be extended by an additional two months for complex requests. The organisation must inform you of any such extension within one month of receiving the request, along with the reason for the delay.

    Understanding the Response

    The organisation’s response to your GDPR request should provide you with the requested information in a clear and understandable manner. They should explain how they obtained your data, the purposes for which it is being processed, and any recipients to whom it has been disclosed. If the request is complex, the organisation may seek additional information or clarification from you to ensure an accurate response.

    By following these guidelines, you can navigate the process of making a GDPR request for information with confidence. Remember, the GDPR is a powerful tool that puts you in control of your personal data. Take advantage of your rights by making informed requests and ensuring the responsible handling of your personal information.

    Learn more. Schedule your demo now!


    Try PrivacyEngine
    For Free

    Learn the platform in less than an hour
    Become a power user in less than a day

    PrivacyEngine Onboarding Screen