Handling GDPR Data Requests: The Complete Guide 2026
From legal foundations to the 8-step process and ROI comparison – everything Data Protection Officers and HR departments need to know.
Chapter 1: Why This Whitepaper?
Data subject access requests under Art. 15 GDPR have become a recurring operational task
Since the General Data Protection Regulation came into force in May 2018, data subject access requests at European companies have quintupled. What began as an occasional enquiry is now a recurring operational task in many organisations – particularly in HR departments, legal teams, and for Data Protection Officers.
The numbers speak for themselves: a single complex data subject access request – for example, from a former employee with many years of service – can require an average of 40 working hours. At personnel costs of €60 per hour, that amounts to €2,400 per request. Companies with several hundred employees process 20 to 50 such requests per year.
At the same time, the risk is increasing: European data protection authorities have imposed fines running into the millions in recent years – not infrequently for incorrect or delayed handling of data subject access requests. The inadvertent disclosure of third-party data due to inadequate redaction is one of the most common errors.
This whitepaper offers a structured, field-tested approach:
- Legal foundations in detail – so you know what the GDPR requires
- A proven 8-step process with checklists – so no step is missed
- Template letters for the three most common scenarios – so you can act immediately
- Three detailed case studies from practice – so you can learn from others' experiences
- An ROI comparison between manual and automated processing – so you can make the right investment decision
Chapter 2: Legal Foundations
The GDPR articles you need to know – and their practical implications
Art. 15 GDPR – Right of Access
Art. 15 is the central data subject right and gives every natural person the right to know whether and which personal data are being processed about them. The controller must provide information about:
- The purposes of processing
- The categories of personal data being processed
- The recipients or categories of recipients to whom the data have been or will be disclosed
- The envisaged storage period or the criteria for determining it
- The existence of a right to rectification, erasure, restriction, or objection
- The right to lodge a complaint with a supervisory authority
- Where data were not collected from the data subject: all available information about the source of the data
- Information about the existence of automated decision-making including profiling
Furthermore, the data subject has the right to receive a copy of the personal data (Art. 15(3)). Where the request is made electronically, the data shall be provided in a commonly used electronic format.
Art. 15(4) – Protection of Third-Party Rights
This paragraph clarifies that the right to obtain a copy shall not adversely affect the rights and freedoms of others. In practice, this means: all documents that contain personal data of third parties alongside the data of the requesting person must be carefully redacted before disclosure.
Practical example: A personnel file contains performance reviews with information about both the requesting employee and the reviewing manager. The manager's name, position, and assessments must be redacted – the review content relating to the employee must be disclosed.
Art. 12 GDPR – Transparency and Deadlines
Art. 12 governs the form and deadlines for communication:
- Deadline: 1 month from receipt of the request
- Extension: By a maximum of 2 additional months – only where requests are complex or numerous
- Notification obligation: If extended, the data subject must be informed within the first month, stating reasons
- Form: Information must be provided in a concise, transparent, intelligible, and easily accessible form, using clear and plain language
- Cost: The first copy is free of charge. A reasonable fee based on administrative costs may be charged for additional copies
Art. 17 GDPR – Right to Erasure
A data subject access request is frequently followed by an erasure request. Art. 17 gives the data subject the right to obtain erasure without undue delay where one of the grounds set out in Art. 17(1) applies. Important: the right to erasure is not absolute – statutory retention obligations (e.g. tax law: 7–10 years) take precedence.
Art. 20 GDPR – Right to Data Portability
Data subjects may request that their data be provided in a structured, commonly used, and machine-readable format. This right complements Art. 15 and applies particularly to data the person has provided themselves and which is processed on the basis of consent or a contract.
Art. 83(5) GDPR – Penalty Framework
Infringements of data subject rights (Art. 12–22) may result in fines of up to €20 million or 4% of total worldwide annual turnover of the preceding financial year – whichever is higher.
Note: The inadvertent disclosure of third-party data due to faulty redaction also constitutes a notifiable data breach under Art. 33 GDPR, which must be reported to the competent supervisory authority within 72 hours.
National Specifics
Germany (BDSG Section 34): The German Federal Data Protection Act supplements the GDPR right of access. In particular, Section 34 BDSG contains restrictions on the right of access where data are stored solely due to statutory retention obligations or where providing information would require disproportionate effort.
Austria (DSG Section 1): The Austrian Data Protection Act enshrines the fundamental right to data protection as a constitutionally protected right. Additionally, Section 1(2) DSG provides that restrictions on the right of access are only permissible under specific conditions. The Austrian Data Protection Authority has emphasised in several decisions that the right of access is to be interpreted broadly.
Chapter 3: The 8-Step Process
A proven approach – from receiving the request to compliance documentation
Receive and Document the Request
The day the request is received marks the start of the deadline. Document immediately:
- Date and time of receipt
- Communication channel (email, letter, verbal, portal)
- Content and scope of the request
- Name and contact details of the requesting person
Tip: Set up a dedicated email address (e.g. privacy@company.com) and a standardised form. This ensures no request is overlooked and the deadline is tracked correctly.
Verify the Identity of the Requesting Person
Before disclosing personal data, you must confirm the identity of the requesting person. The verification process must be proportionate:
- Known email address: Request comes from the email address on file → generally sufficient
- Unknown sender: Request a copy of identification (non-relevant data may be redacted)
- Representative/lawyer: Request power of attorney
Important: Identity verification must not be used as a delaying tactic. Excessive requirements for proof of identity can themselves constitute a GDPR violation.
Determine Scope: Which Systems Contain Relevant Data?
Create a systematic overview of all systems that may contain personal data of the requesting person:
- HR systems: Personnel file, time tracking, payroll, applicant management
- Email: Mailboxes, archives, deleted items
- CRM/ERP: Customer data, invoices, correspondence
- File servers: Network drives, SharePoint, cloud storage
- Paper files: Physical archives, scanned documents
- Backups: Archiving systems, tape drives
- Other: Access control systems, video surveillance, fleet management
Checklist: Use your records of processing activities (Art. 30 GDPR) as a starting point. It lists all processing activities and the associated systems.
Collect Relevant Documents
Gather all documents containing personal data of the requesting person. For a former employee, these may include:
- Employment contract and supplementary agreements
- Payslips and tax certificates
- Performance reviews and target agreements
- Email correspondence (sent and received)
- Meeting minutes and internal notes
- Sick notes and return-to-work documentation
- References and training certificates
- Warnings and termination letters
For each collected document, record: source, document type, number of pages, and whether it contains third-party data.
Identify and Classify Third-Party Data
Review each document systematically and mark all sections containing personal data of third parties or information requiring protection:
- Third-party personal data: Names, addresses, phone numbers, email addresses, signatures, dates of birth of other individuals
- Assessments by third parties: Named managers in performance reviews, colleagues' comments in meeting minutes
- Trade secrets: Internal calculations, strategy documents, confidential business figures
- Indirect identifiability: Contextual information that, in combination, enables identification of third parties (e.g. "the responsible officer in Department X")
Important: Do not forget metadata, footers, headers, embedded comments in Office documents, and file names – these too may contain third-party data.
Redact: Automatically or Manually
Now the actual redaction takes place. It is critical that the redaction is permanent and irreversible – the redacted data must not be recoverable.
Manual redaction:
- Review and redact each document individually
- Time required: approx. 5 minutes per page
- Error rate: 5–15% (third-party data overlooked)
- Risk: Non-permanent redaction via PDF overlays
Automated redaction with Docuflair Redact:
- Batch processing of entire file folders
- Automatic detection of 9+ PII categories
- Active Directory integration for employee data
- Permanent, pixel-based redaction
- Selective exports: different versions for different recipients
- Time required: approx. 5 seconds per page
Quality Control: Four-Eyes Principle and Spot Checks
Before disclosure, thorough quality control is essential:
- Four-eyes principle: A second person reviews the redacted documents
- Spot checks: For large volumes, review at least 10% of documents in detail
- Test permanence: Attempt to recover redacted areas by highlighting, copying, or using PDF tools
- Completeness: Are all of the requesting person's data included? Is anything missing?
- Readability: Are the non-redacted contents still comprehensible and coherent?
- Consistency: Was the same name redacted everywhere – including footers, headers, and metadata?
Respond on Time and Document Compliance
Provide the data subject with the prepared documents and document the entire process:
- Delivery: In a commonly used electronic format (PDF recommended), encrypted where possible
- Cover letter: Response letter referencing Art. 15 GDPR and explaining any redactions
- Documentation: Date of receipt, persons involved, systems searched, number of documents, redaction rationale, date of dispatch
- Audit trail: For automated redaction: SHA-256 hash chain as proof of integrity
Accountability principle (Art. 5(2) GDPR): You must not only act in compliance – you must also be able to demonstrate it. Comprehensive documentation is your most important safeguard when facing supervisory authorities.
Chapter 4: Checklist – What to Disclose, What to Redact?
Guidance for the most common document types
The following overview shows which information must be disclosed in response to a data subject access request and which may or must be redacted:
| Must Be Disclosed | May/Must Be Redacted |
|---|---|
| Own emails and correspondence | Names and contact details of third parties in CC/BCC |
| Personnel file (own data) | Salaries, reviews, and data of other employees |
| Performance reviews about the person | Named reviewing managers (where their protection interest prevails) |
| Contract documents (own contract) | Internal calculations and margins |
| Application documents (own) | Notes and assessments of other applicants |
| Meeting minutes (own statements) | Statements and identity of other participants |
| Time tracking data | Shift schedules with other employees' data |
| Training records and certificates | Attendance lists of other training participants |
Rule of thumb: When in doubt, redact more rather than less. A piece of information you failed to disclose can be provided later – third-party data you inadvertently disclosed constitutes a notifiable data breach.
Chapter 5: Template Letters
Three text templates for the most common scenarios – ready to use
1. Acknowledgement of Receipt
Dear [Name],
Thank you for your request dated [Date] regarding access to your personal data stored with us pursuant to Art. 15 GDPR.
We confirm receipt of your request and will process it within the statutory deadline of one month. Should we require further information from you for processing, we will contact you without delay.
Kind regards,
[Name, Position]
2. Response Letter (on time, with reference to redactions)
Dear [Name],
With reference to your data subject access request dated [Date], we hereby provide you with the requested information pursuant to Art. 15 GDPR.
Enclosed you will find a copy of the personal data relating to you that are stored with us. The documents were identified in the following systems: [system list].
Please note that certain passages in the enclosed documents have been redacted. These redactions concern personal data of third parties and trade secrets, the disclosure of which would adversely affect the rights and freedoms of other persons (Art. 15(4) GDPR).
Should you have any questions about the information provided, please do not hesitate to contact us.
Kind regards,
[Name, Position]
3. Deadline Extension (with justification)
Dear [Name],
We have received your data subject access request dated [Date] and are processing it with the highest priority.
Due to the particular complexity of your request – [justification, e.g. "the extensive volume of documents to be reviewed across multiple systems" / "the need for coordination with several departments"] – we require an extension of the processing deadline by [number] month(s) pursuant to Art. 12(3) GDPR.
You will receive the complete information no later than [Date]. We appreciate your understanding.
Kind regards,
[Name, Position]
Chapter 6: Three Case Studies From Practice
Concrete scenarios – and how they were resolved efficiently
Case Study 1: Former Employee After Termination
Situation: A former employee with 12 years of service at a mid-sized company (800 employees) submits a comprehensive data subject access request. The HR department must provide his entire personnel file, all emails, and all documents relating to his person.
Scope:
- Personnel file: 180 pages (contracts, reviews, sick notes, warnings)
- Email archive: 340 emails with attachments
- Meeting minutes: 25 documents
- Training certificates: 15 certificates
Challenge: The performance reviews contain names and assessments from 8 different managers. The emails contain data from customers, colleagues, and external service providers. Meeting minutes contain statements from the works council.
Solution with Docuflair Redact:
- Active Directory matching automatically identifies all internal personnel data
- 9 PII categories detect customer data and external contacts
- Selective export: one version for the ex-employee (third-party data redacted), one copy for the internal archive (complete)
- Processing time: 3.5 hours instead of an estimated 45 hours manually
Case Study 2: Customer Requests All Stored Data
Situation: A long-standing B2B customer of a service provider requests full disclosure of all personal data stored about them. The customer had regular contact with various departments over 5 years.
Scope:
- CRM entries: 85 records (contact history, quotes, contracts)
- Email correspondence: 210 emails from 4 departments
- Contract documents: 12 contracts and supplementary agreements
- Invoices and payment records: 48 documents
Challenge: The emails contain internal discussions between employees about pricing and customer terms. Contract documents include margin calculations and internal approval notes.
Solution:
- PII detection automatically identifies all employee data in emails
- Trade secrets (calculations, margins) are flagged as areas to redact
- Two export versions: customer version (third-party data and trade secrets redacted) and internal compliance copy
- Processing time: 2 hours instead of an estimated 25 hours manually
Case Study 3: Rejected Applicant
Situation: A rejected applicant submits a data subject access request 4 months after receiving the rejection. They suspect discrimination and may be preparing a legal claim.
Scope:
- Application documents: CV, cover letter, certificates (12 pages)
- Interview protocols: 3 interview records from different interviewers
- Internal evaluation forms: 3 forms with scoring and comments
- Email correspondence: 15 emails (internal and external)
- Comparison notes: document comparing the top 3 candidates
Challenge: The evaluation forms name the interviewers and contain their subjective assessments. The comparison notes contain personal data of the other two finalists.
Solution:
- Application documents: disclose in full (own data)
- Interview protocols: redact interviewer names, disclose assessment content about the applicant
- Evaluation forms: redact names and assessments of interviewers, disclose scoring and comments about the applicant
- Comparison notes: fully redact all data of the other candidates
- Processing time: 1.5 hours instead of an estimated 12 hours manually
Chapter 7: Automation vs. Manual Process
The numbers speak for themselves
ROI Comparison Table
| Criterion | Manual | Automated (Docuflair Redact) |
|---|---|---|
| Time per request (500 documents) | ~40 hours | ~4 hours |
| Error rate (third-party data overlooked) | 5–15% | <1% |
| Cost per request (€60/h) | €2,400 | €240 |
| Audit trail | None (must be created manually) | SHA-256 hash chain, automatic |
| Multiple versions | Manually duplicate and adapt | Selective exports at the click of a button |
| Redaction consistency | Depends on the operator | 100% consistent |
| Redaction permanence | Risk with PDF overlays | Pixel-based, irreversible |
| Scalability | Linear (more requests = more staff) | Batch processing, virtually unlimited |
Break-Even Calculation
Assuming a company processes 20 complex data subject access requests per year (averaging 500 documents per request):
- Manual processing: 20 requests × 40 hours × €60/h = €48,000 per year
- Automated processing: 20 requests × 4 hours × €60/h = €4,800 per year (plus software costs)
- Annual saving: €43,200 (minus software licence)
Not factored in are the avoided risks: a single notifiable data breach caused by faulty manual redaction can result in fines, compensation claims, and reputational damage running into hundreds of thousands of euros.
Conclusion: With more than 5 data subject access requests per year, the investment in an automated redaction solution typically pays for itself within the first 6 months.
Chapter 8: Compliance Evidence With Audit Trail
Why demonstrability is just as important as the redaction itself
The Accountability Principle Under Art. 5(2) GDPR
The GDPR requires not only that organisations act in compliance with data protection law – they must also be able to demonstrate this. During an audit by the supervisory authority, it is not sufficient to say: "We redacted correctly." You must document who, when, what, and why was redacted.
SHA-256 Hash Chain as Proof of Integrity
Docuflair Redact automatically creates a SHA-256 hash chain for every processed document. This hash chain documents:
- Hash of the original document: Proves the initial state before redaction
- Hash of the redacted document: Proves the exact state after redaction
- Timestamp: When was the redaction performed?
- User identification: Who initiated the redaction?
- Redaction rules: Which categories were redacted and which detection method was used?
Through the cryptographic chaining of hashes, any subsequent tampering is detectable. This method is comparable to blockchain technology and provides the highest level of evidential value.
Documentation for Supervisory Authorities
In the event of an audit or complaint, you can present the following evidence to the supervisory authority:
- Processing log: Complete chronology of processing (receipt, steps, dispatch)
- Hash certificate: Cryptographic proof of document integrity
- Redaction report: Listing of all redacted areas with justification
- Quality control log: Documentation of the four-eyes review
Practical tip: Retain compliance documentation for at least 3 years after completing the process. For pending legal proceedings, retention periods are extended accordingly.
Chapter 9: Conclusion and Next Steps
The key takeaways at a glance
Key Takeaways
- Take deadlines seriously: The one-month deadline under Art. 12 GDPR starts on the day of receipt. A late response is a violation – regardless of the complexity of the request.
- Protect third-party data consistently: Disclosing third-party data constitutes a notifiable data breach. Only permanent, pixel-based redaction is legally compliant.
- Standardise processes: An 8-step process with clear responsibilities and checklists prevents errors and saves time.
- Automation pays off: With more than 5 requests per year, automated redaction pays for itself. Time savings amount to 90%, and the error rate drops from 15% to below 1%.
- Ensure demonstrability: The accountability principle under Art. 5(2) GDPR requires comprehensive documentation. An automated audit trail is the most reliable solution.
Ready for Efficient GDPR Compliance?
Experience in a personal demo how Docuflair Redact automates your data subject access requests, ensures legal compliance, and documents everything seamlessly.