Skip to content
Last updated: 2026-04-06

Practical Scenarios

Common privacy situations and how to respond. Use these as reference for real situations you may encounter.

Data Subject Rights Requests

Scenario 1: Access Request via Email

Situation: A customer emails: "I want to know what information you have about me."

Response Steps:

  1. Acknowledge receipt within 1-2 business days
  2. Verify identity - ask them to confirm from their registered email or provide verification information
  3. Log the request with timestamp in your tracking system
  4. Gather data from all systems where customer data is stored
  5. Compile response including: data held, purposes, recipients, retention periods
  6. Deliver response within one month (GDPR) or 45 days (CCPA)
  7. Document completion

Example Acknowledgment:

Thank you for your request. We take data protection seriously and will respond within 30 days. To verify your identity, please reply from the email address associated with your account or provide [verification details].

Scenario 2: Deletion Request

Situation: Customer requests: "Delete my account and all my data."

Response Steps:

  1. Verify identity
  2. Check for exceptions:
  3. Active subscriptions or outstanding payments
  4. Legal retention requirements (tax, fraud prevention)
  5. Ongoing legal claims or disputes
  6. If deletion is valid: delete from all systems including backups (on next backup cycle)
  7. Notify any third parties who received the data
  8. Confirm completion to customer
  9. Retain minimal record of the request for audit purposes

When to Refuse:

  • Legal obligations require retention (explain which)
  • Data needed for legal claims
  • Overriding public interest

Always explain the reason for any refusal.

Scenario 3: Opt-Out Request

Situation: Customer says: "Stop sending me marketing emails."

Response Steps:

  1. This is typically self-service via unsubscribe link
  2. Process within 10 business days (CAN-SPAM) or immediately where possible
  3. Update suppression list to prevent re-addition
  4. Confirm opt-out to customer
  5. Service/transactional emails may continue (but clarify this)

Note: Under GDPR, if marketing was based on consent, this may also be a withdrawal of consent affecting other processing.

Data Breach Scenarios

Scenario 4: Email to Wrong Recipient

Situation: You sent a spreadsheet with customer data to the wrong email address.

Immediate Actions:

  1. Report to DPO/privacy team immediately
  2. Attempt email recall (if available)
  3. Contact recipient directly, request deletion, ask them to confirm

Assessment Questions:

  • What data was exposed? (names, financial, health?)
  • How many individuals affected?
  • Who received it? (known person vs. unknown)
  • Was it opened/downloaded?

Documentation:

  • Time of incident and discovery
  • What data was exposed
  • Actions taken
  • Outcome

Possible Outcomes:

  • Low risk: Document internally, no notification required
  • Higher risk: May require regulatory notification within 72 hours and notification to affected individuals

Scenario 5: Suspicious System Activity

Situation: You notice unusual login activity or unauthorized access attempts.

Immediate Actions:

  1. Report to IT security and DPO immediately
  2. Do not attempt to investigate or fix yourself
  3. Do not log out or restart systems (preserve evidence)
  4. Document what you observed and when

IT Security Will:

  • Assess scope of potential access
  • Contain the incident
  • Preserve evidence
  • Determine if personal data was accessed

Your Role:

  • Provide information requested
  • Follow instructions from security team
  • Maintain confidentiality about the incident

Scenario 6: Lost Device

Situation: Your work laptop containing customer data is stolen or lost.

Immediate Actions:

  1. Report to IT security and manager immediately
  2. Attempt to locate device (Find My Device, etc.)
  3. IT will remotely wipe if possible
  4. Change passwodatabase for all accounts accessed from device

Assessment Factors:

  • Was device encrypted? (reduces risk significantly)
  • What data was stored locally?
  • Was device locked with strong password?
  • Was auto-lock enabled?

Scenario 7: Marketing to Existing Customers

Situation: Marketing wants to email all customers about a new product.

Verification Steps:

  1. What is the legal basis?
  2. Consent: Check consent records, verify not withdrawn
  3. Legitimate interest: Verify LIA completed, product is related to original purchase
  4. Check suppression list for opt-outs
  5. Verify unsubscribe mechanism is working
  6. Review content for required disclosures

Questions to Ask Marketing:

  • Do we have consent/legal basis for all recipients?
  • Have we checked the suppression list?
  • Is the unsubscribe link working?
  • Is the sender clearly identified?

Scenario 8: Third-Party Data Acquisition

Situation: Marketing wants to purchase a contact list.

Due Diligence Required:

  1. How did the vendor collect the data?
  2. Did individuals consent to sharing with third parties?
  3. For what purposes can the data be used?
  4. What documentation can the vendor provide?

Red Flags:

  • Vendor cannot explain data source
  • No evidence of consent for third-party sharing
  • Very low cost (suggests questionable sourcing)
  • Vendor will not provide DPA

Recommendation: Consult privacy team before proceeding. Risk of purchasing improperly collected data is significant.

Vendor and Transfer Scenarios

Scenario 9: New Cloud Service

Situation: Your team wants to use a new US-based SaaS tool that will process customer data.

Before Proceeding:

  1. Identify what personal data will be processed
  2. Assess data minimization - can you limit what is shared?
  3. Conduct vendor security assessment
  4. Execute Data Processing Agreement
  5. For EU data: Assess international transfer mechanism
  6. SCCs in place?
  7. Transfer Impact Assessment needed?
  8. Update records of processing activities
  9. Update privacy notice if needed

Questions for the Vendor:

  • Where is data stored and processed?
  • What security certifications do you have?
  • Will you sign our DPA?
  • Who are your sub-processors?
  • How do you handle data subject requests?

Scenario 10: Law Enforcement Request

Situation: Someone claiming to be from a government agency requests customer data.

Response Steps:

  1. Do not provide data immediately
  2. Escalate to legal team
  3. Verify the request is legitimate:
  4. Official letterhead and case number
  5. Verify identity of requester
  6. Confirm legal authority cited
  7. Legal team will assess validity and scope
  8. Provide only data specifically required
  9. Document the request and response

Never:

  • Provide data based on phone call alone
  • Share data beyond what is legally required
  • Discuss the request with unauthorized persons

Quick Decision Guide

Situation Immediate Action
Rights request received Acknowledge, verify identity, log request
Data sent to wrong person Report to DPO immediately
Suspicious activity Report to IT security, do not investigate alone
Lost/stolen device Report to IT security, attempt to locate/wipe
Marketing question Verify legal basis and opt-out status
New vendor request Assess privacy impact, get DPA in place first
Law enforcement request Escalate to legal team, do not respond directly

Return to Training Overview