Guidance Notes and Letter Templates

Data protection law in the UK, particularly in the form of the GDPR and Data Protection Act 2018, sets out a number of important rights for individuals or “data subjects” including the right to be informed, the right of access, the right to rectification, the right to erasure (or “right to be forgotten”), rights to restrict the processing of personal data, the right to data portability, the right to object to the processing of personal data, and rights related to automated decision-making including profiling.

These rights are designed to encourage transparency and to give individuals control over the use of their personal data. These rights, in turn, impose obligations on organisations handling personal data (“data controllers”) and the law sets down strict time limits for compliance (usually one month from the receipt of a request from a data subject to exercise a right).

New Data Subject Rights Guidance Notes

Our latest data protection guidance notes explain these important rights in more detail, providing information on each right, the circumstances in which the rights apply (few rights are absolute and will only apply in particular cases), how to comply with them, time limits for compliance, and more.

New Data Subject Rights Letter Templates

Individuals can exercise their rights in any manner they choose. Requests do not need to follow a prescribed form and can be made orally or in writing. Moreover, they can be made to anyone within your organisation, so it is imperative that any staff likely to receive a request to exercise any data subject rights at the very least know what to be on the lookout for.

Once a request is received, you generally have only one month to respond. Calculating “a month” is surprisingly complicated, as explained in the new Guidance Notes, and will also be affected by cases in which you may need to confirm an individual’s identity or charge them a fee (note it is only possible to charge a fee in exceptional cases where a request is “manifestly unfounded” or “excessive”). Furthermore, you can also extend the time limit by a further two months in situations where requests are particularly complex or numerous.

We have published a new set of letter templates that are designed for use in responding to requests to exercise data subject’s rights. These letters do not refer specifically to a particular right but are sufficiently broad in their drafting to be adapted to work with most of them.

The first letter is a simple acknowledgement, undertaking to respond to the request within a month.

The second letter is an acknowledgement that also requests confirmation of the individual’s identity.

The third is another acknowledgement, designed for situations in which you view the request as “manifestly unfounded” or “excessive” (see the Guidance Notes for more detail about these terms) and you require a fee.

The fourth letter acknowledges your receipt of confirmation of the individual’s identity and undertakes to proceed with complying with the request within one month.

The fifth letter acknowledges receipt of a fee, also undertaking to comply within a month.

The sixth letter is designed for situations in which you require additional time and includes options enabling it to be used as your first response, or as a follow up response with or without ID confirmation or a fee.

Further letters will be added to this set of templates shortly, including templates for refusing to comply with a request (again, in a “manifestly unfounded” or “excessive” scenario), and for outlining a positive response or outcome.