GDPR data subject rights & right to information
In the experience of a data protection officer, the request for information under Art. 15 GDPR is the most frequently used data subject right under the General Data Protection Regulation, alongside the right to erasure (Art. 17 GDPR) or the right to object to advertising (Art. 21 (2), (3) GDPR).
The right of access has the advantage for the applicant/data subject that they can obtain almost all information on the processing of personal data that a company has on this data subject with a simple request. The request for information creates the transparency for the data subject in terms of data processing that data protection under the GDPR aims to achieve.
However, this can result in considerable organizational difficulties for companies. The first hurdle is the amount and variety of information that needs to be provided. The GDPR stipulates exactly what information the data subject must receive about "their" data:
- the purposes of the processing of personal data;
- the categories of data processed (e.g. name, date of birth, hobbies, etc.);
- Recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular if the recipients are located outside the EU;
- where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
- the existence of other data subject rights, namely the right to rectification or erasure, the right to restriction of processing and the right to object;
- the right to lodge a complaint with the competent supervisory authority;
- if the personal data have not been collected from the data subject, all available information about the origin of the data;
- the existence of automated decision-making, including profiling and, in these cases, meaningful information about the logic involved in the profiling and the scope and intended impact of this measure on the data subject.
It is this combination of legal requirements and time pressure that can make requests for information a considerable risk for companies.
If information is not provided on time or is incomplete, a dissatisfied data subject can quickly lodge a complaint with the supervisory authority. In the worst case, this can lead to a fine for the company.
For these reasons, a responsible company must be prepared in advance for a request for information.
As a first step, a central point of contact should be created. Requests for information that are received in the wrong place and circulate in the company for days can considerably shorten the remaining time of the one-month period. The data protection officer is of course a good point of contact here. If no data protection officer has been appointed, another person must take on this task. Of course, it is also important to inform all colleagues about this contact point. This central point of contact also has the task of verifying the identity of the applicant. If it is not certain that the applicant is who they claim to be, the company can request further information. Only when it is certain that it is the right person should you proceed.
The next step is to create a process that allows all the necessary information to be gathered as quickly as possible. This can be done with the help of employees who know where to find the necessary information, such as department heads or IT staff. This approach naturally ties up employees. Depending on the complexity of the infrastructure from which this information has to be extracted, several colleagues can spend weeks gathering the necessary information.
Request for information via 2B Advice PrIME
Another option is a software-supported solution. 2B Advice PrIME can be used to answer a request for information promptly and process it within the company. In 2B Advice PrIME, requests can be received centrally via a ticket system and created as tickets. Separate workflows can be defined and stored for each type of data protection request (information, deletion, correction, revocation, etc.). In this way, company processes can be mapped in 2B Advice PrIME.
A workflow assigns measures to individual employees in the company, which are processed by the respective employee. The company always has an overview of the processing status of the request for information and can intervene at any time if something is stuck.
This software-supported processing means that all steps of the request for information can always be documented. In one measure, it is possible to set an internal deadline by which the information must be provided. By setting deadlines, the central point of contact can ensure that the request for information is processed within the statutory period. 2B Advice PrIME also has extensive reporting functions that allow data protection requests to be monitored. The ability to fully document this process enables you to prove that you have done everything the law requires of you in the event of a dispute with the data subject. This also enables you to comply with the accountability requirement imposed on companies by Art. 5 para. 2 GDPR in data protection matters.
The functions in 2B Advice PrIME provide employees with optimum support when processing requests. This means that requests for information are always under central control and the risk of penalties is minimized.
Conclusion of the request for information
With their right to information, the data subject is also entitled to a copy of this information. However, this must not be understood in a way that allows the data subject to "access" all personal data. For example, no data may be disclosed that concerns persons other than the applicant or internal business secrets. For this reason too, a thorough process must be in place that also prevents unauthorized data from flowing to the applicant.
Once the process has been completed and all the necessary information has been compiled, the North Rhine-Westphalia supervisory authority believes that this should only be sent to the applicant by post. Sending it by e-mail is too insecure. However, if you have set up measures to ensure the secure electronic transfer of data, this method may also be permissible.
English 
German 
Italian 
French