Iubenda logo
Start generating

Documentation

Table of Contents

Data subject requests: A 14-month delay cost this company €100,000

Time is of the essence. 

And when it comes to responding to data subject requests (DSRs), it’s all the more important. But DSRs are something that many organizations overlook – which can come with significant consequences.

As one Belgian telecommunications company found out the hard way. 

In a moment, you’ll discover where this organization went wrong and how you can protect yourself from the same fate – it’s easier than you think. 

What’s a data subject request? 

A data subject request is a formal request made by an individual to an organization about the personal data that it has collected, processed, or stored about them – ensuring individuals have greater control over their personal data.

It’s a key part of privacy laws like the General Data Protection Regulation (GDPR), making it vital for you to keep in mind to stay compliant.  

Under GDPR, individuals have the right to make eight different requests when it comes to their personal data:  

  1. The right to be informed
  2. The right of access
  3. The right to rectification
  4. The right to erasure
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object
  8. Rights related to automated decision-making

What happened?

A client of a Belgian telecommunications company noticed there were some changes to their subscription and billing, even though they didn’t ask for anything to be changed. 

To find out why the issue came up in the first place, on January 25th 2022 the client asked the company for access to their personal data – with specific details on which employees accessed their  personal data, when they did so, and why – as per their rights according to GDPR. 

A few weeks passed and the individual concerned hadn’t received the data they requested, despite sending reminders. So they made a formal complaint to the Belgian Data Protection Authority (DPA). 

In fact, the individual concerned didn’t receive the data they requested from the organization until March 28th 2023 – 14 months later.

Where they went wrong

The DPA found that the telecommunications company had violated:

When an organization receives a DSR, they’re required to respond within a month and take appropriate action, depending on the nature of the request. This company responded with the requested data 14 months later. 

The consequence of responding so late?

A fine of €100,000.

How you can avoid the same mistakes

If the prospect of dealing with a DSR seems overwhelming, you don’t have to worry – it’s easy with the right tool. 

iubenda’s Data Subject Rights Management Tool simplifies the whole DSR process for you, allowing you to address all the different types of data subject requests. 

Setup is quick: All you have to do is activate the tool and embed a request form on your website for easy access. 

Then, once someone makes a request you’ll receive a notification – so you can take action, fast. 

You’ll be guided through the process with regular reminders, ensuring you don’t miss a step.

With the Data Subject Rights Management Tool, you’ll have all the help you need to respond to data subject requests quickly, making it easier to comply with legal requirements.

It might just save you €100,000.

About us

iubenda

Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.

www.iubenda.com