Rights & Requests
Understanding Data Subject Rights
The Act gives individuals enforceable rights over their data. Learn what each right means and how to respond.
What you will learn
- The main rights individuals have under the Act
- What each right means in practice
- Your responsibilities when someone exercises a right
- How to handle a request without panic
Overview
The Act does not just place duties on businesses. It gives individuals a set of rights over their own personal data, and it expects you to respect them. Knowing these rights, and having a simple way to handle requests, keeps you compliant and builds trust.
Why this matters
A request from a customer or employee is not something to fear, but you do need to respond properly and on time. A calm, repeatable process turns a stressful event into routine admin.
What the law says
Part II of the Act sets out the rights of data subjects. In plain terms, individuals can:
- Be informed about how their data is used (through your privacy notice).
- Access the personal data you hold about them ().
- Correct data that is inaccurate.
- Object to certain processing, such as direct marketing.
- Limit decisions made about them purely by automated means.
Your responsibilities
When someone exercises a right, you generally must:
- Confirm who they are, so you do not disclose data to the wrong person.
- Find the relevant personal data across your systems.
- Respond within the timeframe the Act sets.
- Explain clearly if an exception applies and you cannot fully comply.
Real-world examples
- A former employee asks for a copy of their HR file. That is an access request.
- A customer notices their address is wrong and asks you to fix it. That is a correction.
- A subscriber asks you to stop emailing them offers. That is an objection to direct marketing.
Common mistakes
- Having no process, so requests get lost in someone's inbox.
- Releasing data without checking the requester's identity.
- Treating the deadline as flexible.
Best practices
- Give people a clear way to make a request, and log every one.
- Keep a simple internal checklist for finding and reviewing data.
- Track the response deadline from day one.
Put this into practice
Log and manage access and correction requests in one place, with the response timeline tracked for you.
Handle a data subject requestFrequently asked questions
Key takeaways
- Individuals can ask to see, correct, and control the data you hold about them.
- You must respond to valid requests within the timeframe set by the Act.
- Build a simple, repeatable process so requests do not catch you off guard.
- Some requests have exceptions, but you must still respond and explain.
