-
Look for data protection issues in any request made by data subject
-
Immediately forward all requests to a contact point or your superior
-
Offer your help with fulfilling data subject rights, especially with verifying identity and finding all data relating to requester
While not as urgent as incidents, also data subject requests must be handled efficiently. GDPR requires responding without undue delay, no later than within one month, which can be extended by two further months where necessary, given the complexity and number of requests. Data subject must be informed of such extension and its reasons within the initial one month period.
When your organization provides informational clauses, it points out contact details, where data subjects should normally direct their requests. However, no matter how and in what form the request is filed, your organization should process it. This means you should identify a contact point for data subject requests and immediately forward there any case, where a person you deal with requests anything concerning his or her data – like access, a copy, erasure, objection, consent withdrawal, rectification etc.
The process of handling data subject requests should be defined to make sure GDPR rights are actually fulfilled and cover all relevant data processed by your organization – not just your department. Not all requests are legitimate and some are even aimed at extorting someone’s data or delaying payments. That is why all doubtful cases should be verified and analyzed. Data subject rights are not absolute and GDPR articles 12 to 22 set out some exceptions.
When thinking of data subject rights, remember that their fulfillment starts when data are collected. There is a general right to personal data protection, safeguarded by the GDPR and related legal acts. No matter the form you collect data (digitally, in print, orally, during a call or on the website), always provide required information and apply data protection principles.
Next: GDPR staff training 17/17 – wrap-up
Table of contents:
GDPR staff training 1/17 – preview
GDPR staff training 2/17 – how do you approach data protection right now?
GDPR staff training 3/17 – why protect data at all?
GDPR staff training 4/17 – what are personal data?
GDPR staff training 5/17 – what is personal data processing?
GDPR staff training 6/17 – who processes personal data?
GDPR staff training 7/17 – how personal data should be processed?
GDPR staff training 8/17 – what are your roles & responsibilities?
GDPR staff training 9/17 – why the need to know principle is so important?
GDPR staff training 10/17 – what difference can you make?
GDPR staff training 11/17 – how do you approach data protection right now?
GDPR staff training 12/17 – why provide information on data processing?
GDPR staff training 13/17 – what is the sense of consents to data processing?
GDPR staff training 14/17 – what to include in and how to apply contracts?
GDPR staff training 15/17 – what to include in & how to apply contracts?
GDPR staff training 16/17 – how to handle data subject requests?
GDPR staff training 17/17 – wrap-up
Self-implement GDPR in 16 steps:
Complete data protection system – A-Z course & templates