For organisations: privacy rights in practice
The General Data Protection Regulation (GDPR) gives people a number of rights to stay in control of their personal data. On this page you, as an organisation, will find practical tips for dealing correctly with these privacy rights of your customers or employees, for example.
On this page
Part of a healthy privacy policy
Listening and responding to people who rely on their privacy rights is an important part of a healthy privacy policy. And a healthy privacy policy contributes to the trust people place in your organisation. Therefore, make sure that you embed privacy rights in your systems, processes and internal organisation. So you will be able to respond in the right way to requests that you receive.
Be prepared for requests
To be properly prepared for the requests that you may receive, you have to ensure that you:
- Know which privacy rights apply. And when you have or do not have to comply with a request.
- Know how you are going to honour those requests. For example: in which way you are going to give people access, remove their data or transfer their data. You may have to take technical and organisational measures for this purpose.
- Know how you are going to establish the identity of people making a request.
- Draw people's attention to the privacy rights they have. Through your privacy statement, for example.
- Inform people clearly about how they can submit a request to you.
- Make it easy for people to make a request to you. Note: if someone makes a request by electronic means (e.g. by email), you will have to provide the requested information by electronic means as well.
Tip: The EDPB’s Data Protection Guide for SMEs provides a handy checklist with tips on how to handle privacy requests.
Dealing with requests
Do you receive a request from someone that is based on one of the privacy rights? Then take the following steps:
- verify the identity of the requester;
- respond within 1 month;
- if applicable: refuse (part of) the request;
- do not charge any costs;
- inform other organisations where necessary.
There are some particulars that apply for the right of access, but not for the other rights. So if you receive a request for access, also read: For organisations: right of access in practice.
Verify identity
Verify the identity of the requester before processing the request.
Respond within 1 month
You have 1 month to deal with the request. Within this month, you give a response by email or letter. In this response, you let the requester know whether you are going to honour the request. If so, you implement the request within 1 month.
In exceptional cases, you are allowed to respond to a request within 3 months. If a request is very complex, for example. Or if the number of requests received from the same person is very high. But in this case, too, you will have to respond within 1 month to inform the requester that you need more time. Also explain why.
If applicable: refuse the request
You are allowed to refuse a request in the following cases:
- The request is not in accordance with the rules for the privacy right concerned. For example: the requester asks you to remove certain personal data. But you cannot remove these data (yet), because you are obliged by law to retain them for a specific period of time.
- You receive a lot of requests from the same person. You can then also choose to charge a reasonable administration fee instead of refusing the request.
- One of the exceptions to the privacy rights of Article 23 of the GDPR applies in your situation. For example: refusing the request is necessary for public safety, for the prevention or detection of criminal offences, or for the protection of the rights and freedoms of others. In that case, you will have to make an assessment which shows that the interest of your organisation carries more weight, or the rights and freedoms of others carry more weight, than someone's privacy right. For more information, see: EDPB Guidelines on restrictions under Article 23 GDPR.
Have you decided to refuse the request? Or to honour only part of the request? Explain why. And draw the attention of the requester to the option to submit a complaint to the Dutch Data Protection Authority or:
- initiate application proceedings with the court (if you are a business);
- lodge an objection against the decision (if you are a governmental organisation).
Do not charge costs
In principle, you are not allowed to charge costs. But can you prove that a request is unfounded or excessive? For example, because someone submits an extreme number of requests to you? Then you are allowed to charge a reasonable administration fee. You are also allowed to do this if someone wants extra copies when exercising the right of access.
Note: When deciding whether a request is 'excessive', you are not allowed to take the total number of request you receive (from different people) and the total costs you incur for replying to these requests into consideration. The costs are to be borne by you, and you are not allowed to recover them from the people whose data you process. Or use them as an argument for rejecting a request.
Inform other organisations where necessary
Did you provide the relevant personal data to other organisations? Then sometimes you may also have to inform these organisations that you have honoured a request, and ask these organisations to do the same.
This applies for:
- The right to rectification: did you rectify certain data? Then you have to inform the other organisations that they have to adjust or supplement these data as well.
- The right to removal of data: did you remove certain data? Then you have to inform the other organisations that they have to remove these data as well.
- The right to restriction of processing: did you restrict processing of certain data? Then you have to inform the other organisations that they have to restrict processing of these data as well.
- The right to object: did you stop processing certain data because someone objected? Then you have to inform the other organisations that they have to stop processing these data as well.
Does the requester ask which organisations you have informed in this way? Then you have to let this person know.
Establishing identity
Does someone make a request to you that is based on the privacy rights from the GDPR? Such as a request for access? Then you will have to check if this person is who they say they are. In doing so, you prevent giving someone access to someone else's personal data. But you are not allowed to ask for more data than necessary for your check.
No copy ID
You are never allowed to ask for a full copy of the identity document for this purpose. A full copy is a copy in which all personal data are visible. You are only allowed to ask for a full copy ID if you are obliged by law to do so.
In all other cases, you are not allowed to ask for more than a copy ID in which certain data have been blocked. But this is only permitted if there really is no other way. In most cases, there are less intrusive ways to establish someone's identity. You must always try as much as possible to establish someone's identity using the data you already have from this person.
Examples of establishing identity
To give you an idea, below you will find a number of ways to establish someone's identity. It is up to you to decide which way is the most appropriate, given the situation.
- Through an existing login system: companies with an online shop often already have a secure login system for customers. In that case, you can integrate the exercise of someone's privacy rights in that system.
- A form of multifactor authentication: in this case, you use the customer details from your own records for a check. A lot of variations are possible here. For example:
- After receiving a request by email, you ask for a confirmation by text message. This mobile number has to match the customer details from your records.
- You ask for an email confirmation of a request made by telephone. This email address has to match the customer details from your records.
- You ask for the last 3 digits of the account number, the birthdate and/or the customer number for a check.
- Drop by and show ID: you can ask people to drop by and show you their ID without making a copy. Note: when doing this, you may not create a barrier to giving access. When someone is not living close by, for example. That is why you should only offer this as an alternative.
Doubt about identity
Have you tried to establish someone's identity in your standard way? But do you still have reasons to doubt whether someone is the person they say they are? Then you are allowed to ask for additional information. In this case, too, you are not allowed to ask for more data than necessary. You may not ask for more than a copy ID in which certain data have been blocked. But this is only permitted if there really is no other way.
Recording in a policy
As an organisation, you must have a policy in which people can find information about how they can exercise their privacy rights. Part of this is the way in which someone identifies themselves when making a request with regard to privacy rights.
Obligation to provide information when asking for a copy ID
Do you ask for a copy of someone's identity document? Be aware then that you are obliged to provide certain information to this person.