The General Data Protection Regulation (“GDPR”) provides rights to residents in the European Union (“EU”) that allows them to control their personal data. To exercise their rights, the GDPR allows EU residents to send a request to the data controller. In this guide, we will answer the following:
Under the GDPR, the definition of “personal data” includes “any information” that relates to an identified or identifiable natural person, which is called a “data subject.” An identifiable natural person is someone “who can be identified, either directly or indirectly, in particular by reference to an identifier.” An identifier includes:
In the EU, the GDPR grants data subjects with a set of rights. Recital 1 of the GDPR states that protecting “natural persons in relation to the processing of personal data is a fundamental right.”
The GDPR provides consumer rights that include:
To exercise one of the consumer rights listed above, a data subject needs to send a request to the controller. Article 12 explains how a controller should respond to data subject requests for the consumer rights under Articles 15 – 22.
Under Article 12, a data controller must “take appropriate measures” to provide any information relating to processing of the data subject. The controller must accept either a written or verbal request from a data subject. The controller must provide the information in writing or by another appropriate electronic means.
When a controller receives a data subject request, it must:
When requested by the data subject, the controller may provide the information orally if it can identify the data subject. If a controller has reasonable doubts of the identity of the data subject making a request that refers to Articles 15 to 21, the controller may request additional information necessary to confirm the identity of the data subject.
Recital 64 of the GDPR provides that a “controller should use all reasonable measures to verify the identity of a data subject who requests access, in particular in the context of online services and online identifiers.” Examples of reasonable means for identity verification include having the data subject:
When a controller receives a data subject request, it should respond “without undue delay” within one month of receiving the request. Depending on the complexity and number of requests, the controller may extend the deadline by “two further months where necessary.” However, the controller must inform the data subject of any such extension within one month of receiving the request along with the reasons for the delay.
If the controller does not take action when it receives a data subject request, the controller must inform the data subject “without delay and at the latest within one month of receipt.” The controller must explain:
Any actions that a controller takes to respond to a request must be provided to a data subject free of charge. If a request from a data subject is “manifestly unfounded” or excessive and repetitive, the controller has the “burden of demonstrating the manifestly unfounded or excessive character of the request.” The controller may either:
Presently, the GDPR does not offer a uniform guidance for data subject requests. However, to be compliant, companies acting as data controllers should adopt internal processes to address requests in accordance with the GDPR. Meanwhile, the European Data Protection Board has released guidelines. The guidelines have a main focus “on the rights of access, erasure, objection, restriction and limitations to these rights.”
Article 15 of the GDPR gives a data subject “the right to find out whether or not personal data concerning him or her are being processed.” Data subjects may request access to the data, which is commonly called a “data subject access request” (DSAR).
The right of access provided in Article 15 of the GDPR requires a controller to:
A controller must follow the Article 12 guidelines that establish the proper form of a response and the time frame to send the response. Article 12 allows a data subject to submit a DSAR in whatever method is convenient for the data subject. Many data subjects request a DSAR in writing, but a DSAR may also be a verbal request.
Under Article 15, when a controller receives a DSAR, it must provide a copy to the data subject that contains any relevant information it has on the data subject. The controller must provide access to the personal data and the following information:
Where personal data are transferred to a third country or to an international organization, the data subject has the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer. The controller:
Where the data subject makes the request by electronic means, the controller must provide the information in a commonly used electronic form unless otherwise requested by the data subject.
The right for data subjects to obtain a copy of their personal data will not adversely affect the rights and freedoms of others. Where relevant, a controller should redact any information that’s not within the scope of the DSAR. This includes the personal data of other individuals and sensitive data belonging to the controller.
A controller has the responsibility to inform the data subjects about their rights and answer their requests promptly. A controller should explain in its Privacy Policy how data subjects can exercise their rights, which includes the access, erasure, objection, and restriction of their personal data. Failure to comply is a violation of the GDPR and could lead to large fines.
If GDPR applies to you, then your website must be compliant under the GDPR. Termageddon’s Privacy Policy generator helps you get GDPR compliant. Once you generate a policy and place it on your website, your policy will automatically update as the law changes.