Answer
Individuals may contact your company/organisation to exercise their rights under the GDPR (rights of access, rectification, erasure, portability, etc.). Where personal data is processed by electronic means, your company/organisation should provide means for requests to be made electronically. Your company/organisation must reply to their request without undue delay, and in principle within 1 month of the receipt of the request.
It can ask them for additional information in order to confirm the identity of the person making the request.
If your company/organisation rejects the request then it has to inform the person of the reasons for doing so and of their right to file a complaint with the Data Protection Authority and to seek a judicial remedy.
Dealing with requests of individuals should be carried out free of charge. Where requests are manifestly unfounded or excessive, in particular because of their repetitive character, you may charge a reasonable fee or refuse to act.
Example
A person who accessed all his personal data the month before, lodges again the same request for access to the same personal data. You may consider either informing them that you reject their request or requesting a reasonable fee.
References
- Article 12 and Articles 15 to 22 and Recitals (59) and (63) to (71) of the GDPR
- EDPB guidelines 4/2018 on the accreditation of certification bodies under Article 43 of the General Data Protection Regulation (2016/679)
- EDPB guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation 2016/679 - revised version after public consultation