← All guides

How to Handle a Company's GDPR Response

They asked you to verify your identity

Under Article 12(6) GDPR, an organisation can ask for additional information to confirm your identity — but only if they have reasonable doubts about who you are. This is not a free pass to demand anything they like.

What is reasonable:

• Confirming the email address or account number associated with your data
• Answering a security question you previously set
• Clicking a verification link sent to your account email

What is not reasonable:

• Demanding a copy of your passport, driving licence, or utility bill as a default — the ICO's guidance is clear: "We would not normally advise controllers to ask for ID documents as a default approach."
• Requiring in-person identity verification for an online account
• Asking for ID when you are a known, logged-in customer who submitted the request via your account

What to do: Reply in writing:

"I have already provided sufficient confirmation of my identity as an existing customer [or: by submitting this request from my registered email address]. Requiring a copy of government ID is disproportionate and inconsistent with ICO guidance. Please proceed with my request within the statutory one-month period."

If they continue to insist, you can complain to your data protection authority. The ICO has taken action against organisations that use identity checks as a delaying tactic.

They extended your deadline by two months

Article 12(3) allows a two-month extension for requests that are complex or numerous. This threshold is higher than it sounds — a single access request from one individual is rarely complex enough to justify it.

For an extension to be valid, the company must:

• Notify you within the first month (before the original deadline)
• Do so in writing
• Give specific reasons why the request is complex or numerous

A vague email saying "we need more time" with no reasons given is itself a GDPR violation.

What to do: If the extension notice lacks specific reasons, reply asking them to explain exactly what makes your request complex. Make clear you are noting the date for potential complaint purposes. You can still complain to your DPA about an unjustified extension even while waiting for the response.

They refused your request

An organisation can only refuse a subject access request on narrow grounds set out in Article 12(5):

• The request is manifestly unfounded — e.g. clearly made to harass rather than exercise a genuine right
• The request is manifestly excessive — this threshold is very high; a first-time request from a known individual is almost never excessive

For erasure requests specifically, Article 17(3) adds grounds such as legal obligation to retain, establishment or defence of legal claims, or reasons of public interest.

Whatever the ground, the company must: tell you the specific reason for refusal, inform you of your right to complain to a supervisory authority, and inform you of your right to a judicial remedy. A refusal that just says "we're unable to comply" without explanation violates Article 12(4).

What to do:

1. Write back asking them to identify the specific legal ground for refusal and provide evidence that it applies to your request.
2. If the refusal is vague or clearly wrong, lodge a complaint with your national data protection authority. See our supervisory authority guide.

The response was incomplete

A valid subject access response must include all of the following (Article 15 GDPR):

• Confirmation that they process (or do not process) your personal data
• A copy of the personal data itself
• The purpose(s) of processing
• The categories of data held
• The recipients or categories of recipients the data has been or will be shared with
• How long the data will be kept (or the criteria used to determine that period)
• Information about your rights: rectification, erasure, restriction, and the right to object
• The right to lodge a complaint with a supervisory authority
• If not collected directly from you: the source of the data

A response that only sends a data export file without the accompanying information (purposes, recipients, retention) is incomplete. Similarly, responses covering only one system (e.g. only your account data, omitting marketing profiles or inferred segments) are partial.

What to do: Reply identifying specifically what is missing. Be precise — vague requests get vague responses. For example:

"Thank you for your response dated [date]. It does not appear to include: (1) the recipients or categories of recipients with whom my data has been shared; (2) the retention period or criteria used to determine it; (3) whether any data was collected from third-party sources. Please provide the complete response within 14 days."

If they fail to complete the response, lodge a complaint with your data protection authority.

They want to charge you a fee

Subject access requests must be fulfilled free of charge in almost all cases. Article 12(5) GDPR only permits a "reasonable administrative fee" if a request is manifestly unfounded or manifestly excessive — a standard the company must justify.

A routine first request from an individual is neither. Attempting to charge you is almost certainly unlawful.

What to do: Dispute the fee in writing, stating that Article 12(5) does not apply to your request and that you expect a free response within the statutory period. If they insist, complain to your data protection authority immediately — regulators take a dim view of fee requests used as a barrier to data rights.

"We hold no data about you"

Organisations are required to respond even when they hold no data — they must confirm this in writing. A complete non-response ("we have no record of your request") is not the same as a lawful nil-data response.

If you are certain the organisation holds data about you (e.g. you have an account with them, you have received emails from them, or you appear in their breach notification), a "no data" response may be incomplete or incorrect.

What to do: Write back specifying the evidence that they hold your data — account history, marketing emails, breach notification letters. Ask them to recheck and provide a complete response. If the response remains implausible, complain to your DPA.