Rights & Requests

Understanding Data Subject Rights

The Act gives individuals enforceable rights over their data. Learn what each right means and how to respond.

Intermediate 15 min
This module is general information, not legal advice, and is being reviewed by our legal team. For your specific situation, consult the official Data Protection Act, 2020 or seek professional advice.

What you will learn

  • The main rights individuals have under the Act
  • What each right means in practice
  • Your responsibilities when someone exercises a right
  • How to handle a request without panic

Overview

The Act does not just place duties on businesses. It gives individuals a set of rights over their own personal data, and it expects you to respect them. Knowing these rights, and having a simple way to handle requests, keeps you compliant and builds trust.

Why this matters

A request from a customer or employee is not something to fear, but you do need to respond properly and on time. A calm, repeatable process turns a stressful event into routine admin.

What the law says

Part II of the Act sets out the rights of data subjects. In plain terms, individuals can:

  • Be informed about how their data is used (through your privacy notice).
  • Access the personal data you hold about them ().
  • Correct data that is inaccurate.
  • Object to certain processing, such as direct marketing.
  • Limit decisions made about them purely by automated means.
Tip. Most requests are simple once you know where data lives. The hardest part is finding it, so map your systems before a request arrives, not after.

Your responsibilities

When someone exercises a right, you generally must:

  1. Confirm who they are, so you do not disclose data to the wrong person.
  2. Find the relevant personal data across your systems.
  3. Respond within the timeframe the Act sets.
  4. Explain clearly if an exception applies and you cannot fully comply.
Watch out. Do not ignore a request hoping it goes away. A missed or mishandled request is one of the most common ways businesses end up in front of the Commissioner.

Real-world examples

  • A former employee asks for a copy of their HR file. That is an access request.
  • A customer notices their address is wrong and asks you to fix it. That is a correction.
  • A subscriber asks you to stop emailing them offers. That is an objection to direct marketing.

Common mistakes

  • Having no process, so requests get lost in someone's inbox.
  • Releasing data without checking the requester's identity.
  • Treating the deadline as flexible.

Best practices

  • Give people a clear way to make a request, and log every one.
  • Keep a simple internal checklist for finding and reviewing data.
  • Track the response deadline from day one.

Put this into practice

Log and manage access and correction requests in one place, with the response timeline tracked for you.

Handle a data subject request

Frequently asked questions

You must respond promptly and within the period set by the Act. Track the clock from the day you have the request and any required details.

Key takeaways

  • Individuals can ask to see, correct, and control the data you hold about them.
  • You must respond to valid requests within the timeframe set by the Act.
  • Build a simple, repeatable process so requests do not catch you off guard.
  • Some requests have exceptions, but you must still respond and explain.

Related

Ask the Privacy Assistant

Beta