Look for data protection issues in any request made by data subject
Immediately forward all requests to a contact point or your superior
Offer your help with fulfilling data subject rights, especially with verifying identity and finding all data relating to requester
While not as urgent as incidents, also data subject requests must be handled efficiently. GDPR requires responding without undue delay, no later than within one month, which can be extended by two further months where necessary, given the complexity and number of requests. Data subject must be informed of such extension and its reasons within the initial one month period.
When your organization provides informational clauses, it points out contact details, where data subjects should normally direct their requests. However, no matter how and in what form the request is filed, your organization should process it. This means you should identify a contact point for data subject requests and immediately forward there any case, where a person you deal with requests anything concerning his or her data – like access, a copy, erasure, objection, consent withdrawal, rectification etc.
The process of handling data subject requests should be defined to make sure GDPR rights are actually fulfilled and cover all relevant data processed by your organization – not just your department. Not all requests are legitimate and some are even aimed at extorting someone’s data or delaying payments. That is why all doubtful cases should be verified and analyzed. Data subject rights are not absolute and GDPR articles 12 to 22 set out some exceptions.
When thinking of data subject rights, remember that their fulfillment starts when data are collected. There is a general right to personal data protection, safeguarded by the GDPR and related legal acts. No matter the form you collect data (digitally, in print, orally, during a call or on the website), always provide required information and apply data protection principles.
Table of contents:
Self-implement GDPR in 16 steps: