GDPR Rejection of Unfounded or Excessive Request Template

Introduction

The GDPR has given the end-users the right to understand which personal data are being collected by an organization. Still, with any rights there are those who abuse it (intentionally or not). One of the guidelines of the GDPR stipulates that an organization may be within its rights to refuse to respond to a DSAR in case it is deemed to be excessive or unfounded. Refusal may be fully or partially applied, depending on the circumstances.

The organization may decide to charge a small fee for excessive DSARs.
The rejection format is to be used by the DPO (or their delegates) to ascertain that an end-user’s request is either unfounded or deemed to be excessive and then notify that end-user that their request is rejected. The response should include the checks that need to be performed to reach the conclusions that will serve as the foundation for the rejection.

Scope and Purpose

The requesters of a DSAR are within their rights to do so, but abusing that right may result in a rejection letter. Once a check has been performed, the DPO (or their delegates) are required to fill in this template with their conclusions. This will serve for two purposes: a response to the DSAR and records for any audit (internal or external).

Once a DSAR has been submitted, the data controllers are required to -

1. Check when the last similar DSAR was submitted. In case it was less than X weeks ago (according to the company policy), then the request may be denied.

2. Understand if the end-user has offered to withdraw the DSAR in return for any form of compensation.

3. Check if the requester has made any unsubstituted accusations against an employee of the organization.

4. Check if the requester is targeting a particular employee against who they have a personal grudge.

Required Fields in the Policy

The rejection notice should include the following fields:

1. The details of the responder (or data controller)

2. The basic details of the data subject (end-user)

3. Explain the reason for the rejection.

4. Inform the end-user of their right to escalate the request to the manager of the data controller who rejected their DSAR.

5. Inform the end-user of their right to escalate the request to the courts of the country to enforce their request.

The Obligations of the Data Controller

1. Check that the DSAR is legitimate, thus fulfilling the legal obligation as stipulated in the GDPR.

2. Inform the requester if their request was deemed to be unfounded or excessive.

3. Provides records for any audit (internal or external)

Term Definitions

What is a Data Controller?

An organization or person who determines the use of the collected personal data from the data subjects. The data controller owns the collected personal data, decides in which ways it will be processed and bears the sole responsibility for safekeeping it.

What is personal data?

Any type of unique data which relates to an individual data subject. This can include such information as: Name, phone number, Email address, ID number, health records, political opinions, IP address, etc.

What is the processing of personal data?

Any act that is performed on the collected personal data of all the organizations’ data subjects. This may include such actions as storing the data, analyzing it in any way to extract insights or deleting it once it’s no longer required.

What is a data subject (also known as an end-user)?

Any person who created a unique username on the organization’s website, thus giving them the possibility of using that username to perform certain tasks and use features offered on the website.

Who is the DPO?

The Data Protection Officer is the main stakeholder of the organization for all aspects of GDPR compliance. They are responsible for making sure that the GDPR guidelines are adhered to.

What is a DSAR (Data Subject Rights Request)?

Since the creation of the GDPR process, each data subject (customer) of an organization has the right to request to know which of their personal information the organization is collecting, how it’s being analyzed, if it’s sold to other entities and who has access to their personal information. Once the data subject understands which personal information is being collected, they can then exercise further rights such as deletion, change of scope, limitations, etc. Failure to adhere to the request may result in a non-compliance fine.

Key Takeaways / Conclusions

1. The DPO (or their delegate) is responsible for checking if the request is unfounded or excessive and sending their conclusions to the data subject (requestor)

2. In case of a rejection, the response must explain in clear, everyday language why it was rejected.

3. If the data subject decides to appeal the decision, then the GDPR supervisory authority must alert the data controller and send them the relevant communication to allow them to respond within a timely manner.