Data Subject Rights

Introduction

The GDPR grants individuals specific rights over their personal data. As a data controller, you must facilitate these rights and respond to requests within specified timeframes. Emily Helps provides tools to help you manage and respond to data subject requests efficiently.

The Eight Rights

1. Right to Be Informed

What It Is: Individuals have the right to know how their personal data is being collected and used.

Your Obligations:

• Provide privacy information at the time of data collection
• Include all required information in your privacy notice
• Make privacy information easily accessible
• Use clear, plain language

Required Information:

• Identity and contact details of controller
• Contact details of Data Protection Officer (if applicable)
• Purposes and legal basis for processing
• Legitimate interests (if applicable)
• Categories of personal data
• Recipients or categories of recipients
• Data retention periods
• Rights available to individuals
• Right to lodge a complaint with supervisory authority
• Whether data provision is mandatory or voluntary
• Existence of automated decision-making

Emily Helps Features:

• Privacy notice templates
• Data collection forms with privacy information
• Consent management with clear explanations
• User dashboard showing their data

Response Time: At the time of data collection

2. Right of Access

What It Is: Individuals can request a copy of their personal data (Subject Access Request - SAR).

Your Obligations:

• Confirm whether you are processing their data
• Provide a copy of their personal data
• Provide supplementary information (purposes, categories, recipients, etc.)
• Generally free of charge
• Respond within one month (extendable by two months for complex requests)

What to Provide:

• Copy of all personal data held
• Information about processing purposes
• Categories of data
• Recipients or categories of recipients
• Retention periods
• Sources of data (if not from the individual)
• Existence of automated decision-making

Emily Helps Features:

• Self-service data export tool
• SAR request workflow
• Automated data compilation
• Structured export formats (PDF, CSV, JSON)
• Redaction tools for third-party data
• Request tracking and deadline management

Response Time: 1 month (extendable to 3 months for complex requests)

3. Right to Rectification

What It Is: Individuals can request correction of inaccurate or incomplete personal data.

Your Obligations:

• Correct inaccurate data
• Complete incomplete data
• Notify recipients of corrections (if required)
• Respond within one month

Considerations:

• Balance accuracy with legitimate disagreement
• Document reasons if you disagree with a correction request
• Consider the purposes of processing when assessing accuracy

Emily Helps Features:

• User self-service data editing
• Rectification request workflow
• Verification tools
• Change history and audit trail
• Notification system for data recipients

Response Time: 1 month (extendable to 3 months)

4. Right to Erasure (“Right to be Forgotten”)

What It Is: Individuals can request deletion of their personal data in certain circumstances.

When It Applies:

• Data no longer necessary for original purpose
• Consent withdrawn (where consent was the legal basis)
• Objection to processing (and no overriding grounds)
• Data processed unlawfully
• Legal obligation to erase
• Data relates to child’s consent for information society services

When You Can Refuse:

• Exercising freedom of expression and information
• Complying with a legal obligation
• Public health purposes
• Archiving, research, or statistical purposes
• Establishing, exercising, or defending legal claims

Emily Helps Features:

• Erasure request workflow
• Dependency checking (identifies related records)
• Legal hold functionality
• Anonymization vs. deletion options
• Audit trail of deletion activities
• Retention policy override alerts

Response Time: 1 month (extendable to 3 months)

Important for Churches: Sacramental records often have canonical and legal retention requirements that may override the right to erasure.

5. Right to Restriction of Processing

What It Is: Individuals can request that you limit how you use their data rather than deleting it.

When It Applies:

• Accuracy of data is contested (restrict while verifying)
• Processing is unlawful, but individual opposes deletion
• You no longer need the data, but individual needs it for legal claims
• Objection to processing (restrict while verifying grounds)

Your Obligations:

• Store the data but not process it (except with consent or for legal claims)
• Inform the individual before lifting the restriction
• Notify recipients of the restriction

Emily Helps Features:

• Processing restriction flags
• Automated processing prevention
• Restriction workflow
• Notification system
• Audit trail

Response Time: 1 month (extendable to 3 months)

6. Right to Data Portability

What It Is: Individuals can obtain and reuse their personal data for their own purposes across different services.

When It Applies:

• Processing is based on consent or contract
• Processing is carried out by automated means

What to Provide:

• Personal data in a structured, commonly used, machine-readable format
• Where technically feasible, transmit directly to another controller

Scope:

• Only data provided by the individual
• Does not include derived or inferred data
• Does not include data about others

Emily Helps Features:

• Structured data export (JSON, CSV, XML)
• Automated data compilation
• Standardized export formats
• API for direct transmission
• Data portability request workflow

Response Time: 1 month (extendable to 3 months)

7. Right to Object

What It Is: Individuals can object to processing of their personal data in certain circumstances.

When It Applies:

• Processing based on legitimate interests
• Processing for direct marketing
• Processing for research or statistical purposes (unless for public interest reasons)

Your Obligations:

• For direct marketing: Stop processing immediately
• For other objections: Stop unless you demonstrate compelling legitimate grounds
• Inform individuals of their right to object

Emily Helps Features:

• Objection request workflow
• Automatic marketing opt-out
• Legitimate interest override assessment
• Suppression lists
• Preference management

Response Time: Immediately for direct marketing; 1 month for other objections

8. Rights Related to Automated Decision-Making

What It Is: Individuals have the right not to be subject to automated decisions that have legal or similarly significant effects.

When It Applies:

• Decision is solely automated (no human involvement)
• Decision has legal or similarly significant effects

Exceptions:

• Necessary for entering into or performing a contract
• Authorized by law
• Based on explicit consent

Required Safeguards (when exceptions apply):

• Right to human intervention
• Right to express point of view
• Right to contest the decision

Emily Helps Features:

• Automated decision logging
• Human review workflows
• Decision explanation tools
• Appeal mechanisms

Response Time: Varies by context

Responding to Data Subject Requests

General Process

1. Receive Request

   • Verify identity of requestor
   • Determine which right is being exercised
   • Check for any exemptions

2. Assess Request

   • Identify all relevant data
   • Check for third-party data requiring redaction
   • Determine if request is manifestly unfounded or excessive
   • Calculate response deadline

3. Gather Data

   • Search all systems and records
   • Compile relevant information
   • Prepare in appropriate format
   • Redact third-party information

4. Respond

   • Provide information in clear, plain language
   • Include all required elements
   • Explain any extensions or refusals
   • Document the response

Verification

Before responding to a request:

• Verify the identity of the requestor
• Request additional information if needed
• Use reasonable means appropriate to the circumstances
• Document verification steps taken

Timelines

• Default: 1 month from receipt of request
• Extension: Up to 3 months for complex or multiple requests
• Extension Notice: Inform individual within 1 month of original request
• Refusal: Inform individual without undue delay and within 1 month

Charges

• Generally Free: No charge for most requests
• Exceptions:
  • Manifestly unfounded or excessive requests
  • Additional copies of same information
• Administrative Fee: Reasonable fee based on administrative costs
• Demonstrate: Burden on you to show request is manifestly unfounded or excessive

Emily Helps Request Management

Workflow Features

• Request Intake: Standardized forms and email integration
• Verification: Identity verification workflows
• Assignment: Automatic routing to responsible staff
• Tracking: Progress monitoring and deadline alerts
• Collaboration: Internal notes and task assignment
• Templates: Response letter templates for each right
• Audit Trail: Complete history of request handling

Data Discovery

• Comprehensive Search: Search across all modules and data types
• Automated Compilation: Gather related records automatically
• Export Tools: Generate standard export formats
• Redaction: Tools to remove third-party data
• Preview: Review compiled data before sending

Reporting

• Request Metrics: Track volume, types, and response times
• Compliance Reports: Monitor compliance with deadlines
• Trend Analysis: Identify patterns in requests
• Audit Support: Evidence of compliance for auditors

Best Practices

Preparation

1. Document Processes: Create procedures for each right
2. Train Staff: Ensure team knows how to handle requests
3. Identify Data: Know where personal data is located
4. Test Systems: Verify data can be extracted efficiently
5. Prepare Templates: Ready-to-use response letters

Handling Requests

1. Acknowledge Quickly: Confirm receipt promptly
2. Verify Identity: Use appropriate verification methods
3. Search Thoroughly: Look in all systems and backups
4. Document Everything: Keep records of all actions
5. Communicate Clearly: Use plain language in responses
6. Meet Deadlines: Track timeframes carefully
7. Seek Advice: Consult legal counsel for complex cases

Reducing Requests

Many access requests can be avoided by:

• Providing self-service access to data
• Making privacy information readily available
• Being transparent about data processing
• Responding promptly to informal queries

Common Challenges

Challenge: Voluminous Data

Solution:

• Ask individual to specify scope
• Provide data in searchable format
• Offer to discuss most relevant information

Challenge: Third-Party Data

Solution:

• Redact data about other individuals
• Balance rights of all parties
• Seek consent from third parties where appropriate

Challenge: Complex Technical Systems

Solution:

• Document data locations in advance
• Develop automated extraction tools
• Test retrieval processes regularly

Challenge: Vexatious Requests

Solution:

• Document pattern of requests
• Demonstrate manifestly unfounded or excessive nature
• Charge reasonable administrative fee or refuse
• Consider restriction orders if harassment continues

Related Documentation

• Data Protection Principles
• Legal Basis for Processing
• Data Retention Policy
• Privacy by Design

Resources

Templates Available

• Subject Access Request response letter
• Rectification confirmation letter
• Erasure confirmation letter
• Request refusal letter
• Extension notification letter
• Identity verification form

Further Reading

• ICO Guide to Data Subject Rights
• Article 29 Working Party Guidelines
• EDPB Guidelines on Rights

---

Last updated: October 2025