How Does Your Company Manage Data Subject Requests?
When compared with previous data protection legislation, the General Data Protection Regulation (“GDPR”) offers data subjects more rights and imposes stricter obligations upon data controllers.
The GDPR clarified the relationship between data subjects (i.e., the individuals whose personal data is subject to processing) and data controllers (those ultimately responsible for processing individuals’ personal data) by further empowering data subjects. To better understand this the new rights available to data subjects, this article will not only examine their rights under the GDPR, but will also look at how data controllers can respond to subjects’ requests.
Data subject rights
First and foremost, the most talked about right available to data subjects under the GDPR is the right to be forgotten – data subjects are able to contact data controllers and request that all the personal data that is held about them be deleted. In an effort to keep data controller files up to date and accurate, data subjects also have the power to request that any personal data held about them that is either incorrect or even out of date is rectified. Furthermore, data subjects also have the right to restrict or object to certain processing activities in certain circumstances.
It has been said many times before that the GDPR aims to increase transparency and accountability in the world of data processing. To that end, the GDPR grants data subject greater access to their personal data stored by data controllers. As such, data subjects broadly have the right to:
Fair processing of information and transparency over how their personal data is used
Access to their personal data
Request that any mistakes in their personal data be rectified
Require the erasure of personal data (the “right to be forgotten”)
Receive personal data in a structured, commonly used and machine-readable format and have the right to transmit that personal to a third party (“data portability”)
Object at any time to processing of their personal data (including for direct marketing)
Object to decisions being taken by automated means which produce legal effects concerning the data subject or similarly significantly affecting the data subject (including profiling)
Object to the continued processing of their personal data
Restrict the processing of their personal data
Data controllers also have an obligation to inform data subjects of certain rights, such as their right to be forgotten or their right to correct inaccurate or false data, as well as their right to file a complaint with the relevant supervising authority if they are not satisfied that their rights have been respected, or are unsure how their personal data is being processed.
It is also possible for data subjects to be represented by a third-party when making data subject requests and/or exercising their rights. However, in such cases, data controllers must assure themselves that the third-party is indeed authorised by the data subject to act on his/her behalf, proof of which falls on the shoulders of said representative.
The ICO (the UK’s national supervising authority) has explained that in most cases, a data subject’s request to have access to his or her personal data is generally valid. However, the data subjects must provide sufficient information so that the data controller is able to understand what is being requested, and to find what specific information data subjects are looking for, as well as confirmation of which right is being exercised.
Given all the information stated above, data controllers can find navigating this the GDPR landscape quite challenging, such as in the context of an employee (data subject) / employer (data controller) relationship.
How to respond to data subject requests
A valid request should normally be made in writing, but there is no prescribed form and as a result, the request can also be made verbally. Hence, data controllers need to know how to recognize and access a request from a data subject and understand when and how the different rights apply.
It is also good practice for data controllers to have a policy in place on how to receive data subject requests. Data controllers should ensure they have processes in place so that that they can respond to a request from a data subject without in a timely manner without undue delay.
Putting standardized forms at the disposal of data subjects makes it easier for individuals to exercise their rights, and also assists data controllers to identify the various requests. Article 59 of the preamble to the GDPR recommends that such standardized forms be made available in electronic form.
What to do once a data subject request has been received?
Once a request is received, data controllers must respond to data subjects in a concise, transparent and accessible manner.
Data Controllers must also respond to the data subjects in writing (including electronic means) using plain language.
Furthermore, requests must be responded to promptly by data controllers, and in any case, within 30 days of a receipt of a complete request - at the latest. This period may be extended by up to 2 additional months provided that the data controller informs data subject within the original 30 day time frame about the need and reasons for the extension.
In certain situations, data controllers may be entitled refuse to disclose information if such could cause prejudice to their organisation. This is the case when the information requested is confidential, relates to the company’s future plans, or even information relevant to ongoing legal negotiations or procedures. Alternatively, data controllers can also redact sensitive company information, as the data subject rights only relate to their personal data and not to data at large. Before refusing to adhere to a data subject request, it is important to keep relevant documents and evidence and also to seek legal advice to avoid any unnecessary liability.
What about data subject requests made in bad faith?
Data controllers may refuse to respond to a request if it is manifestly unfounded or excessive, for example, if a request is repetitive or excessive in nature. In this case, the data controller has two options:
Charge a reasonable fee considering the administrative costs necessary to respond; or
Undertake the request, or simply refuse to act.
Furthermore, if doubts surrounding the data subject’s identity arise, data controllers can ask for additional information in order confirm their identity.
In any event, if a request is refused, the data controller must inform the data subject of the reasons why they did not take action, of his or her right to file a complaint with a supervisory authority and of his or her ability to exercise this right through legal recourse.
In sum, data subject’s rights under the GDPR are not necessarily absolute and data controllers have tools at their disposal to adequately deal with their requests - such as by implementing processes and procedures about how such requests can be formulated and tracked, and by utilizing certain grounds to refuse complying with requests in instances of bad faith - nonetheless, it is usually wise to seek individual legal advice on a case-by-case basis, especially in the event of complex requests, and particularly if as a data controller, you are considering whether such request needs to be adhered to.
Should you need any specific advice in relation to data subject requests, then please do not hesitate to get in touch!
Article by Charlotte Gerrish and Justin Boileau @ Gerrish Legal, July 2019