What are they and how to handle them.
Under the General Data Protection Regulation (GDPR), data subjects receive exercisable rights, giving them control over the processing of their personal data. These rights must be upheld by organizations that process personal data. For example, data subjects have a right to request rectification or erasure of their personal data. These types of requests are called Data Subject Right Requests (DSRR – see Chapter 3 GDPR).
DSRRs are typically confused with Data Subject Access Requests, which is, in turn, one of the 8 Rights granted to data subjects under the GDPR. So, what’s a DSAR? Upon request of a data subject, organizations are obligated to give access to the personal information they hold or process about the data subject.
An individual may exercise their rights from any organization that processes their personal data. They could, for example, ask to see their client file, rectify false information, or ask to delete certain details. However, this is not the only situation in which an individual may ask for access. An employee, for instance, can request to check the administrative file that is kept by the employer, to see which information is filed about them. An individual can exercise their right of access from their doctor who keeps their medical file, (although other Member State laws may restrict this access for the wellbeing of the patient.) And lastly, they can also request to receive confirmation that their data is being processed by a governmental body.
When making a DSRR, data subjects are entitled to receive the following information:
Considering the short time to respond to the data subjects’ requests, your organization should have a dedicated framework to manage responses effectively and, therefore, implement a DSRR-response process. As DSRRs can be very time-consuming, which is why more and more organizations choose to implement software solutions to manage these requests. Check out how RESPONSUM’s DSRR module saves organizations time whilst remaining completely compliant.
How do you get started?
DSRRs are usually made in writing (e-mail, letter) but can also be made verbally (phone call). It is up to the organization to establish the specific formal rules under which individuals can make an access request. We discourage verbal requests as these increase the risk of mistakes being made (e.g. phone number was already on file, the exact amount on the latest invoice,…)
Acknowledge receipt of the request by notifying the individual that their request is being reviewed and a response will be provided within 30 days.
Then you’ll need to execute some basic steps to answer the request.
Disclosing personal information to the wrong person can result in a data breach. To avoid this, and especially in case of reasonable doubt, you’ll need to check the requestor’s identity. For example, by asking for additional information, such as a customer number, or by requesting a face-to-face meeting.
Note: It is up to the person wishing to access his or her personal data to contact you. However, this person can give a mandate by formal letter to a person of his choice to exercise his right of access. The verification of the validity of this mandate in itself can be cumbersome. Be very vigilant to prevent abuse via such letters.
If the request concerns a large amount of data, you can ask the data subject to specify which data or which processing activities the request concerns (Recital 63 of the GDPR).
You must check that by complying with the access request of the data subject, you don’t affect the rights of third parties. For example, an employee of a company can’t obtain data that includes the personal data of a colleague. In the same way, the right of access may not violate business secrecy or intellectual property rights.
Usually, you’ll have to respond within 30 days. However, in case of a complex request, such as a large amount of data, the response time can be extended to 3 months. You will have to inform the requester about this within 30 days.
Firstly, it’s important to identify the person that makes the request. The means of identification should match the sensitivity of the personal data that is requested. Once the identification is completed, you’ll need to grant access to any personal data, i.e. data relating to- or that can be used to identify a person. Under Article 15 GDPR, you’ll also have to provide them with the following information:
Data subjects have the right:
Even if rights are usually exercised free of charge (Article 12.5 GDPR), you may charge a reasonable fee based on administrative costs for any additional copies requested by the data subject. Note that this fee must not be an impediment to the exercise of the right of access.
You may have strong grounds to not comply with the DSRR, for example, you are facing an unfounded access request, or the requested data has been deleted (bear in mind that if this was done prior to the pre-defined retention period this might be a data breach in the sense of the GDPR). In all cases, you will need to be specific and clear about the reasons for denying the request. You’ll also need to inform the data subject of their right to lodge a complaint with the data protection authority and to seek judicial redress.
Lastly, you must respond to the DSRR within 30 days (some exceptions apply, e.g. receiving a lot of requests in a short time frame), whether you decide to proceed with the request or not.
To summarize, don’t forget to keep track of DSRRs, as well as the details of the request, the action taken, and the length of time taken to respond (even in case of the “right to erasure” you have to keep track of this because of your GDPR accountability obligations). This good practice can be useful, for example, to assess the repetitive nature of a request (multiple requests close in time to a copy already provided). RESPONSUM offers a tool that organizes all requests and allows you to reply to them in a timely manner.
Published on February 14, 2022. Written by:
Privacy consultant at CRANIUM
Book a free demo with one of our experts today.
Don’t worry, they won’t bite.