Most privacy laws give persons (or “data subjects”) a right to access the data you process about them, a right to request the deletion of the data if it is no longer relevant for you to use it, and a right to receive an export file of the data you process about them. There are of course also other rights but these three are, based on our experience, the most frequently submitted requests.
Data Requests Forms in Complianz
In Complianz Premium we offer you the possibility to implement a data request form in your Privacy Statement so that data subjects can make their requests in a uniform way. Underneath your contact details on your privacy statement, a new form will be published that will ask for the name and email address of the data subject and will give them the option to submit one or more requests. To enable this option, please visit the below question in the wizard:
Activating that data request form also creates an extra menu within your dashboard where you can handle and respond to the requests you have received. This way you have processes in place to ensure that you can respond to a subject access request without undue delay.
In short, the most frequently used Data Requests
In most jurisdictions, you should respond within one month of receipt of the request. You may extend the time limit by a further two months if the request is complex or if you receive a number of requests from the individual.
The Right to Access
Individuals have the right to access and receive a copy of their personal data, and other supplementary information. This is commonly referred to as a data subject access request or ‘DSAR’.
Individuals can make DSARs verbally or in writing, including via social media. A third party can also make a DSAR on behalf of another person.
Handling a The Right to Access Request
- You should perform a reasonable search for the requested information.
- You should provide the information in an accessible, concise, and intelligible format.
- The information should be disclosed securely.
- You can only refuse to provide the information if an exemption or restriction applies, or if the request is manifestly unfounded or excessive.
The Right to Erasure
Under most privacy laws individuals have the right to have their personal data erased if:
- the personal data is no longer necessary for the purpose which you originally collected or processed it for;
- you are relying on consent as your lawful basis for holding the data, and the individual withdraws their consent;
- you are relying on legitimate interests as your basis for processing, the individual objects to the processing of their data, and there is no overriding legitimate interest to continue this processing;
- you are processing the personal data for direct marketing purposes and the individual objects to that processing;
- you have processed the personal data unlawfully (ie in breach of the lawfulness requirement of the 1st principle);
- you have to do it to comply with a legal obligation; or
- you have processed the personal data to offer information society services to a child.
You can refuse to erase the information if an exemption or restriction applies, or if the request is manifestly unfounded or excessive.
The Right to Data Portability
The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability.
Doing this enables individuals to take advantage of applications and services that can use this data to find them a better deal or help them understand their spending habits.The right only applies to information an individual has provided to a controller.
You can refuse to provide the information if an exemption or restriction applies, or if the request is manifestly unfounded or excessive.
Contains public sector information licensed under the Open Government Licence v3.0 from the UK Information Commissioner’s Office website.