Privacy Mystery Shopper Survey 2020

With the General Data Protection Regulation (GDPR) being in force for nearly 2 years now, the medialisation of rights that data subjects have, as well as the public awareness, have increased significantly in this time. As our latest GDPR survey revealed (results here), it’s not the quantity of requests that is most cumbersome, yet the level of detail and sophistication of the requests that data subjects send to companies. 
That in mind, PwC conducted a survey, seeking to find out how well companies respond to data subject requests. To do so, we organised a number of individual persons to exercise certain of their rights, as foreseen by the regulation, to companies based in Luxembourg or providing services to Luxembourg residents. 

Rather than pointing out how well companies responded, we are pleased to present to you with "The Seven Commandments" to consider when it comes to properly responding (or preparing to respond) to data subject rights. We also provide with "Topics Worth Checking", which might help you get ready for new data subject requests. "The Seven Commandments" and the "Topics Worth Checking" have been elaborated based on the current regulatory requirements, as well as the results and trends we observed during the survey.

If you would like to receive more information regarding the survey, what we have spotted or discuss "The Seven Commandments" and "Topics Worth Checking", we will be happy to engage further with you.


Were you able to find the Data Protection Officer/ Privacy office contact details easily (with max. 3 clicks after accessing their website)?

For 66% of the requestors it was quite easy to find the DPO office contact details and for 34% the exercise was not so easy.


Put yourself in the data subject's shoes and check how easy it is to reach your Privacy office.

Was the contact address form generic to the company (e.g. or directly to the Data Protection Officer/ Privacy office (e.g.

48.5% of the requestors were able to find an email address to reach directly the DPO Office. That means that 51.5% of the sample didn’t take into account the requirement to have a specific and dedicated address for this type of request. Or we can imagine that the address was not easy to find on the website. 


Ensure you have a dedicated contact email address for data privacy matters.

Did the company acknowledge your request?


19% of requestors never received a response within 1 month of their initial request.


Respect the 1-month regulatory requirement to respond to data subject requests.

Did the company request to validate your identity?


45.5% of the sample requested to verify the identity of the requestors versus 54.5% of “no check”. 

The regulation requests companies to verify the identity of each requestor by any way. Many companies have chosen to verify the identity by requesting an ID card but others who have not required an ID card as a means of verification, might have cross checked the email address of the requestor and the email address stored in their systems or use one of the following elements: 

  • Client number /User ID

  • Birthdate 

  • Secret question 

  • Phone number 

  • Use of token


Make sure you respond to the data subject and not anyone else.

How many interactions with the company did you have before obtaining what you asked for?

  • 1 - only the request: 49%

  • 2 -  the request and proving my identity: 40% 

  • More than 3: 11% 

Process seems to be simple but be careful not to sacrifice security over simplicity.


Do not sacrifice information security over speed of the response process.

In what timeframe did you receive the final response?

  • 1 week or less: 46.8% 

  • More than 1 week and up to 2 weeks: 21.3% 

  • More than 2 weeks and up to 3 weeks: 14.9%

  • More than 3 weeks and up to 4 weeks: 10.6%

  • More than 1 month: 6.4% 

An important number of companies did not respond to the DSR, thus potentially leading to a complaint at the national data protection authority. Yet, these having responded seem quite fast in doing so: almost half of the companies responded in less than 1 week, whereas 83% responded in less than 3 weeks.


Follow up on the data subject requests and respond within 1 month - or 3 months with a justification.

In what format did the company respond to you?


  • Email: 81.2% 

  • Phone call: 2.1% 

  • Post: 8.3% 

  • Form on their website: 4.2%

  • Document to pick up at the company: 4.2% 

The preferred communication channel is the email, representing over 80% of the total responses, followed by postal communication.


Use an appropriate secure communication channel when responding to a data subject request.

Did you receive what you asked for?


  • Yes: 52.7%

  • No: 47.3%

Certain rights seem to be easier to execute than others: for example, companies executed smoothly the rectification of certain personal data.

Yet, when looking at the right of access, there is a difference between what data subjects expect and what the companies understand when it comes to personal information to receive/ provide.


Know the personal data you manage to exhaustively respond to data subject requests.

Topics Worth Checking

Have you thought of:
  • Having templates to speed up response time and ensure clarity of the response?
  • Using a tool to respond to data subject requests? 

  • Keeping an updated mapping of personal data across your IT systems?

  • Updating your register with personal data processing newly created?

  • Enforcing data retention periods in your systems to limit the effort for responding to data subject requests?

  • Keeping track of the data subject requests received to continuously improve your processes?

Contact us

Frédéric Vonner

Advisory Partner, Sustainable Finance & Sustainability Leader, PwC Luxembourg

Tel: +352 49 48 48 4173

Stay Connected:

Required fields are marked with an asterisk(*)

Please select the cybersecurity service(s) you are interested in and would like to discuss further

Please select the privacy service(s) you are interested in and would like to discuss further:

By submitting your email address, you acknowledge that you have read the Privacy Statement and that you consent to our processing data in accordance with the Privacy Statement (including international transfers). If you change your mind at any time about wishing to receive the information from us, you can send us an email message using the Contact Us page.