Skip to main content
Metasoul Docs
Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage
  1. Metasoul Docs
  2. /
  3. Data privacy tips & tricks
  4. /
  5. Data Subject Requests

Data Subject Requests

What rights do individuals whose personal data I process have?

Natural persons whose personal data is processed may exercise the following rights:

  • Right of access (Article 15 GDPR): Data subjects must be informed upon request whether and which data (including the data actually stored by the person) a company processes about them, for what purposes, and with whom it is shared. The information must be provided in a commonly used and machine-readable format.
  • Right to rectification (Article 16 GDPR): Data subjects may request that inaccurate or incomplete data be corrected.
  • Right to erasure (Right to be forgotten, Article 17 GDPR): Data subjects may request the deletion of their data.
  • Right to restriction of processing (Article 18 GDPR): Data subjects may request the restriction of processing of their data.
  • Right to data portability (Article 20 GDPR): Data subjects may request that their data be provided in a structured, commonly used, and machine-readable format and transferred to another provider, which facilitates switching providers.
  • Right to object (Article 21 GDPR): Data subjects may object to the processing of their data, particularly if the processing is based on legitimate interest or direct marketing.

Does it make a difference with regard to data subject rights whether my clients are private individuals (B2C) or other companies (B2B)?

No, for the application of data subject rights, it does not matter whether one is active in the B2C or B2B sector. The only determining factor is whether personal data of a natural person is processed.

Data that relates exclusively to legal entities (e.g., GmbH, AG) is not subject to the GDPR. However, as soon as a reference to a natural person exists (e.g., the business email address of an employee), the data subject rights apply.

What must I consider when I receive a data subject request?

Data subject requests can be made through various channels. Ideally, the preferred method should be described in the privacy notice.

In general, data subject requests must be answered within one month of receipt. In the case of complex requests, this period may be extended by up to two months.

Furthermore, data subject requests must be processed free of charge. Only in the case of an excessive number of requests by a data subject may costs be charged.

It must also be ensured that the requesting person is indeed the individual in question. If there is reasonable doubt about the identity, this may, if appropriate, be verified by requesting additional information.

Once the identity of a person is verified, each request should be documented with the date of receipt, the type of request, identity verification, and processing steps.

When providing information about stored and processed data of a person, it should be checked in advance whether the rights of third parties (e.g., due to data about other individuals in the information) are affected. Data of third parties should, where applicable, be redacted.

How do I respond to a data subject request?

This content is currently being revised and will be available again soon.