Q: How should requests from individuals exercising their data protection rights be dealt with?
A: Individuals may contact your company/organisation to exercise their rights under the GDPR (rights of access, rectification, erasure, portability, etc.). Where personal data is processed by electronic means, your company/organisation should provide means for requests to be made electronically. Your company/organisation must reply to their request without undue delay, and in principle within 1 month of the receipt of the request.
It can ask them for additional information in order to confirm the identity of the person making the request.
If your company/organisation rejects the request then it has to inform the person of the reasons for doing so and of their right to file a complaint with the Data Protection Authority and to seek a judicial remedy.
Dealing with requests of individuals should be carried out free of charge. Where requests are manifestly unfounded or excessive, in particular because of their repetitive character, you may charge a reasonable fee or refuse to act.
A person who accessed all his personal data the month before, lodges again the same request for access to the same personal data. You may consider either informing them that you reject their request or requesting a reasonable fee.
The above FAQ was included on the European Commission’s website, which can be located here: