We have already explained that people (data subjects) have the right to request information from the controller (the person who determines the purposes of the processing) about how their personal data are processed. As set out in the Data Regulation, people can also ask the controller to carry out various actions on their data, such as rectification, erasure or data portability. This time, we will explain what a controller should do if it receives a request from a person as a data subject.

1. Identify the data subject!
   When receiving a data subject’s request, the controller must initially verify the identity of the data subject. This is necessary to avoid the risk of personal data being provided to a third party or other actions being taken with the data of a person who has not requested it. If the information provided is not sufficient to verify the identity of the applicant, the controller may request additional information.

The identification of a person does not always require, for example, the presentation of an identity document, authentication in an electronic environment by means of a qualified means of identification or the request for an application signed by the person. For example, if a person has created a user account on the controller’s portal and is given the possibility to correct data or send a message from his or her own profile, the identity of the person or the separation from other users is verified when the person has entered a correct username and password and logged in to the system.

2. Find out the purpose of the request!
   When reading the content of the request, one should first clearly identify what rights one intends to exercise by making the request, so that the appropriate data subject rights are ensured when complying with it. In order to ensure that requests can clearly understand what action the individual expects from the controller, the controller may develop a form for the request which sets out the possible requests.

3. Note the format of the answer!
   The controller shall provide the information relating to the request in writing or in another form, including, where appropriate, in electronic form.

Information may also be provided orally at a person’s request, but this is subject to the condition that the data subject’s identity is otherwise established.1 When assessing whether it is possible to provide the requested information orally, it should be ascertained whether such communication will ensure compliance with the principle of accountability. Put simply, whether the controller will be able to demonstrate that the request has been complied with. For example, a recording of a conversation can ensure compliance with this principle if it is made in accordance with the requirements of the Data Regulation.

If technically feasible, the response to the request should be provided through the same communication channel as the person used.

4. Respect the deadlines!
   You must reply to a request without undue delay and no later than one month after receiving it, but in certain cases this deadline can be extended by two months if the request is complex or if the person concerned has made many requests.

A request may be considered complex by considering, for example:

• the amount of data processed;
• how the information is stored, in particular if the information is difficult to retrieve, for example if the data are processed by different departments of the controller;
• the need to redact the information before it is released, if, for example, it also contains data of other persons or trade secrets;
• the provision of the requested information requires additional processing in order to make the information provided comprehensible and usable.

If it is necessary to extend the time limit, the controller must in any event inform the applicant within one month of receipt of the request, stating the reasons for the need for more time.

5. Act accordingly if you receive an unreasonable or disproportionate request!
   There are certain exceptions to the obligations imposed on the controller if the request is manifestly unfounded or excessive, in particular if the person’s requests are repeated on a regular basis.

In such cases, the controller may either:

• charge a reasonable fee for complying with the request in order to cover the administrative costs of providing the information or communication or carrying out the requested action (in general, where an adequate request has been made, compliance should be free of charge); or
• refuse to comply with the request.

In the event that one of these decisions is taken, the controller is obliged to give reasons for its decision, stating why the request was considered inappropriate.

Examples of unreasonable or excessive requests include:

• it is not possible to identify the applicant even after requesting additional information;
• a request for action or information which the controller is not obliged to comply with;
• the individual has made the same or a similar request in the past (including the length of time since the request was made) and no changes have been made to the processing since the previous request and its execution.

If the controller does not carry out the requested action, it must inform the individual, no later than one month after receipt of the request, why it will not be carried out and of the possibility of lodging a complaint with the Data Protection Inspectorate and bringing an action before the courts.

7. Document the progress of requests!
   To ensure compliance with the principle of accountability, the controller should keep records of the requests received and their processing. Recording the progress of processing is particularly important if the processing of a request leads to a decision that does not grant the request in whole or in part or, for example, if a person is charged a fee for complying with the request. The controller should establish a procedure for the handling of requests from data subjects, enshrining it in internal rules and regulations, in order to ensure uniform and transparent practices in the performance of obligations. Similarly, the controller may describe the procedure by which data subject requests will be handled in the privacy policy, thus providing people with information at an early stage that may be useful in preparing an appropriate request.

8. Cooperate with the State Data Inspectorate!
   The controller must be ready to cooperate with the supervisory authority and to provide information on the processing of requests in cases where a person contacts the Data Protection Inspectorate with a complaint about the controller’s response or non-response. In turn, the controller may contact the DPO if questions arise about the handling of a request in accordance with the requirements of the Data Regulation.

https://www.dvi.gov.lv/lv/jaunums/dviskaidro-kas-jaievero-parzinim-izskatot-datu-subjekta-pieprasijumu