What is a regulation? Allowed and Prohibited Procedures, and Practical Implementation

1. What Is a Regulation and How Does the GDPR Work?

1.1 The Legal Nature of a Regulation

A regulation is a binding legal rule that applies automatically and uniformly across all EU member states. Unlike directives, which set goals but leave national governments to decide how to implement them, regulations take effect immediately without the need for national laws.

For businesses, this means that an EU regulation like the General Data Protection Regulation (GDPR) must be applied in the same way throughout Europe.

1.2 The GDPR: Directly Applicable EU Law

The GDPR requires all organizations in the EU to process personal data carefully, transparently, and securely. Because it’s a regulation:

  • The same rules apply in all EU countries.
  • Individuals (customers, employees, partners) can directly invoke their rights under the GDPR.
  • Organizations must organize compliance themselves without waiting for national instructions.

The GDPR imposes obligations such as:

  • Securing personal data
  • Documenting data processing activities
  • Facilitating and fulfilling data subject rights

2. Data Subject Rights Organizations Must Respect

RightWhat This Means for OrganizationsExample
Right to InformationTransparent communication on personal data processingClear privacy notice on the website
Right of AccessProviding an overview of stored personal data upon requestCustomer receives a list of all stored data
Right to RectificationCorrect inaccurate or outdated personal dataUpdating an employee’s incorrect address
Right to Erasure (“Right to be Forgotten”)Delete data when there’s no valid legal groundRemoving an old customer account
Right to Restrict ProcessingTemporarily stop processing upon requestPausing processing during a dispute
Right to Data PortabilityProvide data in a structured, machine-readable formatDelivering customer data in CSV format
Right to ObjectStop processing for certain purposes upon objectionUnsubscribing from marketing emails
Right to Human ReviewHuman intervention in automated decisionsManual review of an automatically rejected loan

3. Facilitating These Rights

Organizations must make it easy for individuals to exercise their rights:

  • Simple procedures: Request forms are fine but must not be the only option.
  • Proportional ID checks: Only request the minimum necessary data for identity verification.
  • One-month response time: Extendable by up to two months in exceptional cases.
  • Free of charge: Unless requests are excessive or repetitive.

Prohibited barriers include:

  • Complex, unnecessary request procedures
  • Demanding excessive personal data
  • Delaying or ignoring requests
  • Charging fees for standard requests

4. Allowed and Prohibited Procedures

✅ Allowed

  • User-friendly request forms with alternatives like email
  • Minimal data ID verification (e.g., verification code by email)
  • Logging requests digitally for audits
  • Clear internal instructions so staff can respond promptly
  • Automating simple requests while keeping transparency

🚫 Prohibited

  • Mandatory platform registration to submit a request
  • Excessive data demands (e.g., full passport copy for a simple request)
  • Referring the requester to third parties if you are responsible
  • Delaying without valid reason
  • Charging for standard requests

5. Practical Guide: Handling GDPR Requests

Step 1 – Receipt: Confirm within 5 business days
Step 2 – Identification: Ask only what’s necessary
Step 3 – Review: Check legal exceptions and locate relevant systems
Step 4 – Execution: Perform the requested action and log it
Step 5 – Response: Reply within one month, explain clearly
Step 6 – Archive: Document for audits, store only necessary data

6. Example Standard Responses

Acknowledgement

We confirm receipt of your GDPR request and will respond within one month.

Approval

Your request has been approved. The requested data has been [provided / corrected / deleted].

Rejection

Unfortunately, we cannot fulfill your request due to [legal reason]. You may file a complaint with your supervisory authority.

7. Internal Compliance Checklist

  • Clear internal procedures in place
  • Staff trained on GDPR rights and procedures
  • All requests documented and traceable
  • Privacy notice is current and understandable
  • No unnecessary obstacles in the process

8. Dutch Implementation Act (UAVG)

In the Netherlands, the GDPR is supplemented by the UAVG, which adds:

  • Exceptions for certain sectors (journalism, security)
  • Requirements for accessible communication
  • Additional sector-specific rules (e.g., healthcare, public sector)

Conclusion for Businesses

GDPR compliance is about more than having a privacy policy on paper. It requires accessible, transparent, and efficient processes that make rights easy to exercise. Removing unnecessary barriers not only avoids fines but also builds trust.

Allowed and Prohibited Procedures for Businesses Under the GDPR

Complying with the GDPR goes beyond having a privacy policy. Organizations must also ensure that the practical execution of privacy rights is properly arranged. Below are examples of permitted and prohibited practices.

✅ Allowed Procedures

  • User-friendly request forms for access, correction, or deletion requests, provided there are alternative options (such as email).
  • Identity verification using minimal data (for example, a verification code via email) to prevent misuse.
  • Digital records documenting requests and their resolution for audit purposes.
  • Clear internal instructions so employees can process requests directly without unnecessary escalation.
  • Automation of simple requests (such as confirmations and standard data access) as long as data subjects’ rights are not restricted.

🚫 Prohibited Procedures

  • Mandatory registration on a platform or app to submit a request.
  • Demanding excessive personal data (such as a full passport copy including a national ID number for a simple request).
  • Referring the requester to third parties when the organization is responsible for handling the request.
  • Unnecessary delays or extending the response period without valid reason.
  • Charging fees for standard requests.

Steps to Stay Compliant

  1. Inventory all personal data being processed and document it in a processing register.
  2. Establish an internal procedure for handling requests, including timelines and responsibilities.
  3. Communicate clearly to data subjects on how they can exercise their rights.
  4. Conduct periodic checks on the effectiveness of these procedures and train staff when needed.
  5. Collaborate with the Data Protection Officer (DPO), if appointed, to continuously monitor compliance.
  6. Regularly evaluate processes to ensure they do not create unintended obstacles.

Conclusion for Businesses

Complying with the GDPR means not only meeting legal obligations but also practically facilitating the rights of data subjects. By implementing accessible procedures and avoiding prohibited barriers, organizations reduce the risk of complaints and fines, while demonstrating accountability to customers and employees.

Practical Guide for Businesses: Complying with the GDPR

This document provides organizations with a hands-on guide to correctly meeting GDPR obligations. It includes:

  • A model procedure for handling data subject requests
  • Example texts for standard responses
  • An internal audit checklist for compliance

1. Model Procedure: Handling GDPR Requests

Step 1 – Receipt of the Request
Requests may be submitted in writing or by email.

  • Confirm receipt within 5 business days.
  • Check whether the request clearly specifies which right is being invoked (access, rectification, erasure, etc.).

Step 2 – Identification of the Data Subject

  • Request additional information only if needed to confirm identity.
  • Preferably use a secure method (e.g., verification via existing customer account).
  • Do not ask for unnecessary copies or sensitive data (such as a full passport).

Step 3 – Assessment of the Request

  • Check if legal exceptions apply (for example, in national implementation laws like the Dutch UAVG).
  • Determine which systems and files must be reviewed.
  • Assess whether the request can be fulfilled within the legal timeframe.

Step 4 – Execution of the Request

  • Perform the requested action (provide access, correct, delete, restrict processing, etc.).
  • Document every step in the internal GDPR register.

Step 5 – Response to the Data Subject

  • Respond within one month (or, with justification, within a maximum of three months).
  • Provide a clear and understandable explanation of the actions taken.
  • If the request is denied, give a legally substantiated reason and inform the individual of their right to lodge a complaint with the Data Protection Authority.

Step 6 – Archiving

  • Record the request, assessment, and response for internal audit purposes.
  • Store only the data necessary for the request (no unnecessary personal data).

2. Example Standard Response Texts

📧 Request Acknowledgement

Dear [Name],
We confirm receipt of your request under the General Data Protection Regulation (GDPR).
We will assess your request and inform you of the outcome within one month.
Kind regards,
[Organization Name]

📧 Request Granted

Dear [Name],
In response to your request under the GDPR, we inform you that your request has been approved.
The requested data has been [attached / updated / deleted] as you requested.
Kind regards,
[Organization Name]

📧 Request Denied (with reason)

Dear [Name],
We have carefully reviewed your request under the GDPR.
Unfortunately, we cannot grant your request because [insert legal reason].
You may object or lodge a complaint with the Data Protection Authority ([URL]).
Kind regards,
[Organization Name]

3. Internal Audit Checklist: GDPR Compliance

✅ Procedure

  • Is there a clear internal process for handling GDPR requests?
  • Are employees trained to recognize and handle requests?

✅ Documentation

  • Is every request recorded?
  • Is the handling process documented for audits?

✅ Deadlines

  • Are all requests answered within one month?
  • Are extensions (if needed) communicated timely and with justification?

✅ Communication

  • Is the privacy policy up to date and easy to understand?
  • Are individuals informed of their rights?

✅ Barriers

  • Are there no unnecessary obstacles in the process (like complex forms or fees)?
  • Is identity verification proportional?

Conclusion for Businesses

GDPR compliance isn’t just a legal obligation, it’s an ongoing process that requires clear procedures, employee awareness, and a commitment to transparency. By understanding the regulation, respecting data subject rights, applying only allowed procedures, and following a documented process, businesses can reduce legal risks and build lasting trust with customers, employees, and partners.

With RealCob, GDPR compliance becomes practical and efficient. From built-in templates and automated request tracking to deadline monitoring and audit-ready reports, RealCob gives you the tools to manage privacy obligations with confidence.

👉Try RealCob free for 30 days

👉Schedule a quick demo

Facebook
LinkedIn
X
WhatsApp
Pinterest