Skip to main content

How should requests from individuals be dealt with?


Individuals may contact a public administration to exercise their rights under the GDPR (rights of access, rectification, erasure, restriction, objection, right not to be subject to automated decision-making).

Note that individuals have a right to object to the processing of personal data by the public administration on grounds of public interest. They must provide the public administration with reasons relating to their particular situation. The public administration may continue processing the data, and thus deny their request, if it demonstrates compelling legitimate grounds for the processing that override the interests and rights of the individual, or if the data is required for the establishment, exercise or defence of legal claims.

If a company is processing your personal data by automated means on the basis of your consent or a contract, you have the right that the company transmits to you your personal data which you provided them. You can also ask for your personal data to be transmitted directly to another company whose services you would like to use, when it’s technically feasible. However, this right does not apply, where the data which you provided are need for the task carried out by a public authority or other organisation for the performance of their public tasks, laid down by law. For example, when you provide a public authority with your personal data for getting social benefits or a building licence, you have no right that the public authority transmit those data to you or to another organisation.

A public administration must reply to requests from individuals without undue delay, and in principle within 1 month of receipt of the request. It may ask for additional information in order for  to confirm the identity of the person making the request. If the request is rejected the individuals must be provided with the reasons for rejection and informed of their right to file a complaint with the DPA and to seek a judicial remedy.

More information about your obligations under the GDPR is available in the section ‘Business and organisations.