Data subject permissions and communication


The entire General Data Protection Regulation (GDPR) revolves around the protection of personal data, how personal data can be used and so forth. In this article, we will go over the permissions and obligations regarding communication of the Data Subjects in GDPR.

Upon registration of Personal Data

According to article 13 in the GDPR, a Data Controller has to inform a Data Subject at the moment of obtaining Personal Data. At that moment – or within one month maximum – the Data Controller informs the Data Subject of the following:

  • Identity and contact details
  • Purpose of the processing and the related Personal Data
  • How the Personal Data is acquired (direct, profiling, other sources)
  • The legal basis for the processing
  • Categories of Recipients of the Personal Data
  • Optionally, the legitimate interests pursued by the controller
  • Optionally, the intent of transferring the data to a third country or international organization
  • Optionally, the period for which the Personal Data will be stored
  • Optionally, from which source the Personal Data originates
  • Optionally, the existence of automated profiling and/or decision-making
  • An indication of the existence of the right to request access and rectification from the Controller.

Consent from Data Subjects

When no other legal basis is applicable, or the Personal Data Type collected is not required for the performance of a contract, a Data Controller needs a Data Subject’s explicit consent.

Such consent (and its registration) includes (written or with digital proof):

  • Name and identification of the Data Subject
  • The registration date of the consent
  • An indication that consent is freely given
  • Categories of Personal Data for which consent is given
  • Purpose of the processing
  • Optionally, date of withdrawal of the consent

Upon request from Data Subjects

Any request from a Data Subject – with regard to details, modification, erasure, … – must be answered within a maximum of one month for free (except if the request is manifestly unfounded or excessive).

A request is best answered together with the following information:

  • Name and identification of the Data Subject
  • Date of the request,
  • Date of the answer
  • Content of the request
  • EITHER request for additional information to confirm the identity of the Data Subject
  • OR reasons for not taking actions by the Controller, mentioning the possibility of lodging a compliant with the supervisory authority
  • OR providing the requested information, (optionally) complemented with the information as mentioned above in 'Upon registration of Personal Data'.

In case of a data breach

This example letter can be used to inform the Data Subject when he/she is affected by a data breach.



We value your business and respect the privacy of your information, which is why, as a precautionary measure, we are writing to let you know about a data security incident that [may involve/involves] your personal information.

[[Between/On] [IDENTIFY TIME PERIOD OF BREACH], [SUMMARIZE BREACH INCIDENT].] The data accessed [may have included/included] personal information such as [IDENTIFY TYPES OF PERSONAL DATA AT ISSUE]. [To our knowledge, the data accessed did not include any [IDENTIFY TYPES OF PERSONAL DATA NOT INVOLVED]].

[COMPANY NAME] values your privacy and deeply regrets that this incident occurred. [COMPANY NAME] is conducting a thorough review of the potentially affected [records/computer system/IDENTIFY OTHER][, and will notify you if there are any significant developments]. [COMPANY NAME] has implemented additional security measures designed to prevent a recurrence of such an attack, and to protect the privacy of [COMPANY NAME]'s valued [customers/employees/IDENTIFY GROUP OF AFFECTED INDIVIDUALS].

The company also is working closely with the Privacy Authority to ensure the incident is properly addressed.

For further information and assistance, please contact [NAME OF COMPANY REPRESENTATIVE/COMPANY] at [TELEPHONE NUMBER] between [TIME] a.m.- [TIME] p.m. daily[, or visit [WEBSITE]].



Want to learn more?

You can find information on the implementation guidelines of the GDPR, like processing principles, security measures, preparations, operations and much more by clicking on the button below.
You can also download our full implementation guide 'A free quick-start guideline for your GDPR implementation' as a PDF document.

GDPR implementation guidelines


Share this insight