Data protection law in the UK, particularly in the form of the GDPR and
Data Protection Act 2018, sets out a number of important rights for
individuals or “data subjects” including the right to be informed, the
right of access, the right to rectification, the right to erasure (or
“right to be forgotten”), rights to restrict the processing of personal
data, the right to data portability, the right to object to the processing
of personal data, and rights related to automated decision-making including
These rights are designed to encourage transparency and to give individuals
control over the use of their personal data. These rights, in turn, impose
obligations on organisations handling personal data (“data controllers”)
and the law sets down strict time limits for compliance (usually one month
from the receipt of a request from a data subject to exercise a right).
New Data Subject Rights Guidance Notes
Our latest data protection guidance notes explain these important rights in
more detail, providing information on each right, the circumstances in
which the rights apply (few rights are absolute and will only apply in
particular cases), how to comply with them, time limits for compliance, and
New Data Subject Rights Letter Templates
Individuals can exercise their rights in any manner they choose. Requests
do not need to follow a prescribed form and can be made orally or in
writing. Moreover, they can be made to anyone within your organisation, so
it is imperative that any staff likely to receive a request to exercise any
data subject rights at the very least know what to be on the lookout for.
Once a request is received, you generally have only one month to respond.
Calculating “a month” is surprisingly complicated, as explained in the new
Guidance Notes, and will also be affected by cases in which you may need to
confirm an individual’s identity or charge them a fee (note it is only
possible to charge a fee in exceptional cases where a request is
“manifestly unfounded” or “excessive”). Furthermore, you can also extend
the time limit by a further two months in situations where requests are
particularly complex or numerous.
We have published a new set of letter templates that are designed for use
in responding to requests to exercise data subject’s rights. These letters
do not refer specifically to a particular right but are sufficiently broad
in their drafting to be adapted to work with most of them.
The first letter is a simple acknowledgement, undertaking to respond to the
request within a month.
The second letter is an acknowledgement that also requests confirmation of
the individual’s identity.
The third is another acknowledgement, designed for situations in which you
view the request as “manifestly unfounded” or “excessive” (see the Guidance
Notes for more detail about these terms) and you require a fee.
The fourth letter acknowledges your receipt of confirmation of the
individual’s identity and undertakes to proceed with complying with the
request within one month.
The fifth letter acknowledges receipt of a fee, also undertaking to comply
within a month.
The sixth letter is designed for situations in which you require additional
time and includes options enabling it to be used as your first response, or
as a follow up response with or without ID confirmation or a fee.
Further letters will be added to this set of templates shortly, including
templates for refusing to comply with a request (again, in a “manifestly
unfounded” or “excessive” scenario), and for outlining a positive response
The contents of this Newsletter are for reference purposes only and do not constitute
legal advice. Independent legal advice should be sought in relation to any specific