Request for information: GDPR data subject rights & right to information

Request for information
Categories:

GDPR data subject rights & right to information

In the experience of a data protection officer, the request for information under Art. 15 GDPR the most frequently used data subject right under the General Data Protection Regulation, alongside the right to Deletion (Art. 17 GDPR) or the right to object to Advertising (Art. 21 para. 2, 3 GDPR).

The Right to information has the advantage for the applicant/affected party that they can obtain almost all the information on the Processing personal data that a company has on this data subject. The request for information creates the following conditions for the data subject with regard to data processing Transparencywhich the Data protection after the GDPR would like to achieve.

 However, this can result in considerable organizational difficulties for companies. The first hurdle is the amount and variety of information that needs to be provided. The GDPR prescribes exactly what information the affected person must be given access to "their" data:

  • the purposes of the Processing of the personal data;
  • the categories of data processed (e.g. name, date of birth, hobbies, etc.);
  • Recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular if the recipients are located outside the EU;
  • where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
  • the existence of further Rights of data subjectsnamely the right to Correction or Deletionthe right to restriction of Processing and the right to object;
  • the right to appeal to the competent Supervisory authority to be able to complain;
  • if the personal data have not been collected from the data subject, all available information about the origin of the data;
  • the existence of automated decision-making, including Profiling and, in these cases, meaningful information about the logic involved in the processing. Profiling and the scope and intended effects of this measure for the affected Person.

It is this combination of legal requirements and time pressure that can make requests for information a considerable risk for companies.

If information is not provided on time or is incomplete, a dissatisfied data subject can quickly complain to the Supervisory authority to complain. In the worst case, this can lead to a Fine for the company.

For these reasons, a responsible company must be prepared in advance for a request for information.

As a first step, a central point of contact should be created. Requests for information that are received in the wrong place and circulate in the company for days can considerably shorten the remaining time of the one-month period. The data protection officer is of course a good point of contact here. If no data protection officer has been appointed, another person must take on this task. Of course, it is also important to inform all colleagues about this contact point. This central point of contact also has the task of verifying the identity of the applicant. If it is not certain that the applicant is who they claim to be, the company can request further information. Only when it is certain that it is the right person should you proceed.

The next step is to create a process that allows all the necessary information to be gathered as quickly as possible. This can be done with the help of employees who know where to find the necessary information, such as department heads or IT staff. This approach naturally ties up employees. Depending on the complexity of the infrastructure from which this information has to be extracted, several colleagues can spend weeks gathering the necessary information.

Request for information via 2B Advice PrIME

 

Another option is a software-supported solution. 2B Advice PrIME can be used to answer a request for information promptly and process it within the company. In 2B Advice PrIME, requests can be received centrally via a ticket system and created as tickets. For every type of data protection request (access, erasure, rectification, Revocation etc.), you can define and store your own workflows. In this way, company processes can be mapped in 2B Advice PrIME.

A workflow assigns measures to individual employees in the company, which are processed by the respective employee. The company always has an overview of the processing status of the request for information and can intervene at any time if it gets stuck at any point.

This software-supported processing means that all steps of the request for information can always be documented. In one measure, it is possible to set an internal deadline by which the information must be available. The central point of contact can use deadlines to ensure that the request for information is processed within the statutory period. 2B Advice PrIME also has extensive reporting functions that allow data protection requests to be monitored. The ability to fully document this process enables you to prove that you have done everything the law requires of you in the event of a dispute with the data subject. This also enables you to comply with the accountability requirement imposed on companies by Art. 5 para. 2 GDPR. GDPR in data protection matters.

The functions in 2B Advice PrIME provide employees with optimum support when processing requests. This means that requests for information are always under central control and the risk of penalties is minimized.

Conclusion of the request for information

 

The Affected parties With his or her right of access, the data subject is also entitled to a copy of this information. However, this must not be understood in a way that allows the data subject to "access" all of their personal data. For example, no data may be disclosed that concerns persons other than the applicant or internal business secrets. For this reason too, a thorough process must be in place that also prevents unauthorized data from flowing to the applicant.

Once the process has been completed and all the necessary information has been compiled, the applicant should, in the opinion of the Supervisory authority North Rhine-Westphalia can only be delivered by post. Sending by e-mail is too insecure. However, if you have set up measures to ensure the secure electronic transfer of data, this method may also be permissible.

Contact us
Tags:
Share this post :

Popular categories

Newsletter

Subscribe to our data protection newsletter to receive the latest updates, tips and insights straight to your inbox.
Subscribe

Latest posts