Do you know what you need to do if someone requests to access the personal data you hold about them? The GDPR has some specific requirements for honoring this right to access, such as what your response must include and how long you have to respond.
Learn more here: https://www.termsfeed.com/blog/gdpr-subject-access-requests/
2. The right of access is one of the eight data
subject rights set forth by the GDPR.
This right allows individuals to obtain
information from you about what personal
data you hold about them and how you use
it.
An individual exercises the right of access
by making a subject access request.
So how must you respond to one of these
requests..?
3. You’ll have one month (two, in
exceptional circumstances) to respond
with the following eight pieces of
information regarding the requesting
individual.
4. The categories must be user-specific.
Meaning, if you don’t actually have the home address of the person
in your database, don’t include it in this section of your response.
1
What categories of personal data you
have for that individual
5. Enforce Strong Password Protection
State why you have the data and what you’re doing with it.
2 The purposes for your data processing
6. How noticeable are your legal agreement links?
You don’t need to list the recipients by name. You can, but including
categories is sufficient here.
3
What recipients or categories of
recipients you disclose the data to
7. Provide a specific period of time in years or months when possible.
If not possible, include your criteria for determining when data will be
deleted.
4
How long you plan to keep the
personal data
8. These rights must be disclosed to the individual in your response.
5 Disclose the right to rectification, erasure, and
to object or restrict further processing of data
9. How noticeable are your legal agreement links?
Inform the individual that there’s a right to complain to the relevant
Data Protection Authorities about your privacy practices or
response.
6 The right to complain to authorities
10. Where are your legal agreement links placed?
3
If you’ve received data about the individual and didn’t receive it from
the individual himself, disclose information about these other
sources.
7 Sources, aside from the individual, that you’ve
received personal data from
11. Provide information about the automatic algorithm you use and
how this may affect the individual.
8
If you use automated decision-making,
and what you use it for
12. Include a clause in your Privacy Policy that informs your users about
their right of access and how to exercise it
Send your response within one month or request an additional month
if necessary
Provide your response for free unless the request is “excessive” or
“manifestly unfounded”
You can ask the individual for identification if necessary
In limited circumstances, you may be able to refuse an access request
Remember:
13. Do you use a scroll box to display text of your
legal agreements?