Implementing Regulation of PDPL Article 3 outlines how Controllers must handle requests from individuals who want to exercise their rights under the PDPL—such as access, correction, deletion, or restriction of their personal data. It imposes clear expectations on timing, verification, documentation, and justification in case of refusal. Controllers must respond within 30 days, and can extend the deadline by another 30 days only under specific conditions (e.g., excessive workload, complexity), with proper notice to the data subject.
Controllers must also verify the identity of the requester, record the request (even if submitted orally), and adopt the necessary organizational and technical measures to ensure a smooth response process. The article also gives legal guardians the right to act on behalf of individuals who lack legal capacity. Finally, the Controller may reject requests that are clearly repetitive, unreasonable, or burdensome—but must explain why.
The Controller shall, upon receiving a request from the Data Subject regarding their rights as stipulated in the Law, do the following:
Implementing Regulation of PDPL Article 3 (1) (a)
Respond in Time
Act on the request of the Data Subject for exercising their rights under the Law within a period not exceeding (30) days and without delay. This period may be extended in case the implementation requires disproportionate effort, or if the Controller receives multiple requests from the data subject, provided that the extension does not exceed an additional (30) days and the Data Subject is notified in advance of the extension with the reasons for the delay.
Implementing Regulation of PDPL Article 3 (1) (b)
Enable Rights Fulfillment
Take the necessary technical, administrative, and organizational measures to ensure a prompt response to requests related to exercising rights.
Implementing Regulation of PDPL Article 3 (1) (c)
Identity Verification
Take appropriate measures to verify the identity of the requester before executing the request in accordance with relevant legal requirements.
Implementing Regulation of PDPL Article 3 (1) (d)
Keep Proper Records
Take the necessary measures to document and keep record of all submitted, including oral requests.
Implementing Regulation of PDPL Article 3 (2)
Reject If Unreasonable
The Controller may refuse to act on request when it is repetitive, manifestly unfounded, or requires disproportionate efforts, in which the Data Subject shall be notified of such reason.
Implementing Regulation of PDPL Article 3 (3)
Legal Guardian Rights
In cases where the Data Subject fully or partially lacks legal capacity, their legal. guardian shall exercise their rights on their behalf.
Explanation of Implementing Regulation of PDPL Article 3
30-day deadline, extendable with notice:
Implementing Regulation of PDPL Article 3 (1) (a) says, respond to data subject rights requests within 30 days, extendable to 60 with valid reason.
Ensure readiness to process requests:
Implementing Regulation of PDPL Article 3 (1) (b) says to, put in place technical and organizational systems to handle data subject rights effectively.
Verify requester identity before action:
Implementing Regulation of PDPL Article 3 (1) (c) says, ensure requests are authentic by confirming the requester’s identity as per legal norms.
Document all requests and actions:
Implementing Regulation of PDPL Article 3 (1) (d) says, maintain logs of requests, including verbal ones, and any steps taken in response.
Controllers can deny repetitive or burdensome requests:
Implementing Regulation of PDPL Article 3 (2) says to, reject only if the request is excessive, repeated, or obviously unfounded, with justification.
Guardians can act for incapacitated individuals:
Implementing Regulation of PDPL Article 3 (3) says, if someone lacks legal capacity, their guardian may submit requests on their behalf.
