This article provides some practical tips for dealing with requests to right of access in the area of data protection under the General Data Protection Regulation.
According to Article 15 GDPR of the EU General Data Protection Regulation, the data subject has the right to obtain information about who is processing the data about him/her, where the data originated, why it is being processed, whether he/she has a right to rectify, erase, restrict or object to the data. In addition, he/she has the right to receive information about the existence of a right of appeal to a supervisory authority and the expected storage period of the data, in particular also about to whom the data will be disclosed. Of course, the information can only be provided if the data of the data subject are actually processed in accordance with Art 15 (1) DGDPR. Otherwise, the applicant must be informed that no data is available.
It is recommended to generally proceed as follows when responding to requests for information:
The data subject should immediately receive an acknowledgement of receipt of his or her request for information. This is already a confidence-building measure, as it shows the data subject that his or her request will be taken seriously and processed in accordance with the applicable regulations.
The acknowledgement of receipt should not yet contain any information on personal data. However, the data subject should be informed together with the acknowledgement of receipt that verification of his or her identity is required.
The data subject should also be informed that the request will be processed as soon as possible, but that a processing time of approximately two weeks should be expected. A waiting period of up to one month is permitted by law.
If a request for information is made by e-mail or is sent to an address unknown to the company, caution is advised. The request for information could also have been made by another unauthorized person trying to obtain information about the data subject(s).
For this reason, the information address or e-mail address should also be checked against your own data. In the event of discrepancies, it is advisable to send an additional acknowledgement of receipt to the e-mail address or postal address stored in the data record.
Here, for example, a PIN code could also be sent by mail to verify the legitimacy of the data.
For particularly critical data, it could also be helpful to send an ID card or PostIdent procedure.
For non-critical data, however, such excessive verification is probably not permissible.
If the identity of the data subject has been verified, the information can be transmitted to him or her. A complete disclosure must contain the following information:
To date, no retention period for access requests has been established by law, but it is recommended that requests to right of access and the information itself be retained until the expiration of the three-year statute of limitations. Requests to right of access and the information itself are stored here to defend against unjustified claims, so the data should be kept separately. It is also advisable to "lock" these data records, meaning they should also only be accessible to a few people within a company or authority.
Would you like to learn more about data protection? Please contact us, during a free initial consultation we will analyze your needs together.
Easily and scale your IT infrastructure while deploying applications quickly and securely with our cloud native technology solutions.
Now full data control is one click away