The new General Data Protection Regulation (GDPR) gives people more control over their personal data, and at first, it may seem that companies only have obligations with regard to this. However, this is not exactly true because the regulation also sets out rights, which should make complying with requests easier.
If a consumer wants to exercise various rights with regard to personal data based on the GDPR, then generally it has to be free of charge. For example, in some situations, one can request to have his or her data to be transmitted or erased, and the company is not allowed to ask for money for this. However, this general rule has exceptions.
If such requests are clearly unjustified or excessive, for example, due to them being repeated, then the company has a right to ask for a reasonable fee or refuse to comply with the request altogether. At the same time, the company is obligated to justify such behavior, and the requested fee cannot exceed the actual expenses of complying with the request.
For example, the company has a right to refuse to comply with a request for obtaining information about data if such a request has been fulfilled only a month ago, or a right to ask a reasonable fee if a person requests several copies of their data. Definite rules that set out when the request is unjustified or excessive do not exist at the moment. This is largely determined by subsequent practice and various guides.
In a situation where a consumer feels that the company has unreasonably refused to fulfill the request or asks an unreasonable fee for it, the option to turn to the Estonian Data Protection Inspectorate is always open. However, it is not recommended to bombard the company with requests in bad faith.
How quick must the answer be?
The GDPR sets out that the company has to answer to the request without undue delay and no later than within one month of receipt of the request. This period can be extended by two months if needed and the request is more complex and substantial than an average one, but notification has to be sent with regard to such extension of the term within one month.
Therefore, an initial answer to the submitter of the request has to be sent within one month.
For example, if you submit a request to Facebook in order to familiarise yourself with your data, then it is possible that the request is not fulfilled before three months due to the large volume of personal data – all data that you have entered and that has emerged during the use of the service has to be forwarded.
If you have sent your request without allowing for personal identification, then the company may ask that from you and thus extend the term even more.
Similarly, the company has to notify the person within a month if the company does not intend to do anything about the request. It should be taken into consideration that such requests should be stored in case the Estonian Data Protection Inspectorate makes an inquiry and it is necessary to prove that the request is justified or not excessive.