The proper handling of enquiries from data subjects benefits any business. A well-versed approach can not only ensure compliance, but also optimise and accelerate the entire business process. For this reason, responding to data subject requests should be a firm component of a good data protection management system in the organisation. But how does one deal with data subject’s enquiries properly? What should be considered according to the GDPR?
Recognise an enquiry from a person affected
First of all, a request from those persons affected must be recognised as such. This may sound simple, but it is not always simple like that! After all, the majority of the persons concerned are legal laymen who are unlikely to literally use the word “data subject” and, in particular, name the specific right that they seek to assert. However, they do not have to! Here, the data controller is asked to discover what the data subject actually requires. In case of the following phrases, one may already assume that the message represents a data subject’s request and therefore precautionary treat it as such:
- “I have a question relating data protection” or “I want to know something about how my data is being handled”
- Terms like information, disclosure, blocking, limitation of processing, deletion, right to be forgotten or objection are used
- “Where did you get my data from?”
- Unauthorised, unwanted advertising, spam is objected to
- “Please unsubscribe from the newsletter”
- “Please correct the following information about me”
- Person threatens with lawyer, warning or notification to data protection authority
- Person demands the data protection officer
These phrases may indicate the different types of request that are to be assigned to the respective data subject’s rights of the GDPR:
- The right to information (right of access)
- The right to erasure
- The right to restriction of processing
- The right to rectification
- Right to data portability
- Right to object to previously granted consent
The Response – what should be considered?
It is true that the requests can be made by any means, such as orally, electronically, by telephone or written. However, the response should always be in writing or, if necessary, electronically. Electronic responses should be handled with care as data security during transmission must be ensured. In addition – and required by law – the answer must be precise, transparent, comprehensible and easily accessible to those concerned. We also advise that the entire process and the entire communication is fully documented!
Furthermore, of course there is a deadline to consider. It is intended that the answer must be given immediately, but no later than within one month of receipt of the request. Although there is an exceptional extension of time up to three months, but you better not rely on it! This is only permissible in rare cases.
It should also be noted that the data subject must always be informed if their request can not be met. This is the case, if e.g. the person requests the deletion of their data, but it is precluded by statutory retention requirements.
If the request reaches the processor, he does not have to answer it, but forward it to the data controller instead. A data processing agreement (DPA) should regulate precisely the order of processing.
The Response – the Process
What is the best way to proceed when a claim has been received? We recommend the following approximate sequence:
- Forward the request to the data protection coordinator of the company
- Specify the deadline: note the time of receipt of the request
- Send acknowledgment of receipt to the person concerned
- Research: Searching the data sources for the information of the data subject
- Identification: Data protection coordinator identifies data subject based on data sources
- Data protection officer can be contacted at any time
- Change of database according to the type of request
- Send a reply via data protection coordinator
- Documentation of the process by data protection officer
In particular, the fourth point encounters difficulties in practice, because the data on the requesting person must first be found. Here, a well-maintained record of processing activities (according to Article 30 GDPR), which clearly lists the data, is enormously helpful.
The consequences of the request
The consequences of the data subject’s request depend on the specific type of query:
Right to information (right of access): If the data subject claims information, he / she must be informed about the stored data and provided with the information to the legally-defined extent. The person specifically has a right to information about the processing purposes of personal data (e.g. for the purposes of e-mail marketing), the categories of personal data being processed (e.g. contact details), the recipients of the data (especially outside the EU) and the retention period of the personal data.
Right to data correction (right to rectification): The Right to data correction includes the right to correct and supplement incorrect data concerning a person.
Right to restriction of processing: Here the data controller must ensure that the stored personal data are no longer processed.
Right to erasure (“right to be forgotten”): If the deletion of personal data is requested, the consequences are self-explanatory: the relevant data must be deleted. In some cases, however, an anonymisation may be sufficient, if reidentification of the person is technically and organisationally excluded.
Right to data portability: If a person asserts his or her right to data portability, the person must receive the data from the data controller in a structured, commonly used and machine-readable format, if the processing takes place in an automated process and on the basis of a consent or if it is required in order to carry out a contract. If technically feasible, the data can also be transmitted directly to another data controller.
Right to object: With the right of objection, the data processing being intrinsically allowed is made inadmissible for the future. The right may be exercised on data processed based on public or legitimate interest. However, it should be noted that consents can be withdrawn, too.
Conclusion: Ensure compliance with structure and routine!
In fact, it is not that difficult to deal with said enquiries properly. If you are familiar with the procedure of how to respond and what to consider which each type of request occurs, that is half the story.
However, the devil is in the details!
It always depends on the individual case and on how the answers are structured in terms of language and content. It may even happen that you have to deviate from the usual procedure. For this reason, we recommended to entrust an experienced data protection with including the data subjects’ requests into the companies’ data protection management system and establishing a proper and complete record of processing activities.
Please do not hesitate to contact the IT and legal experts of ISiCO Datenschutz GmbH! We can show you how to safely and correctly deal with data subjects’ enquiries and help you to create your own record of processing activities! Moreover, we train your employees in the proper handling of data subjects’ rights and we would also be happy to take the role as a data protection officer in your company!