19# Data Subject Rights – Introduction

As you might remember, in the previous post in our series, Albin explained data protection by design and by default. This Tuesday, which happens to be the Swedish holiday of Lucia, we’re going to take a closer look at one of the central concepts of the GDPR –the data subjects’ rights (DSR). Get your candles and saffron buns ready!

The DSR consists of the right to:

• Access
• Rectification
• Erasure
• Restrict processing
• Data portability
• Object
• Not be subject to a decision based solely on automated processing

However, before we dig deeper into the actual rights, we’re going to take a look at some common rules you have to comply with when managing data subjects’ requests to fulfil your obligations under the GDPR.

The rules include:

1. Confirming the identity of the individual who submitted the request to you
2. Responding to the requests without undue delay and free of charge
3. Having an appropriate process in place in your organisation to be prepared to respond to requests
4. Facilitating the exercise of the data subjects’ rights

Let’s start with the rule of confirming the identity of the individual submitting the request. This entails that if you have doubts regarding if the requestor is the data subject, you have to request additional information to confirm the individual’s identity. However, you should keep in mind that this additional information should be relevant, appropriate and necessary for identification since requesting excessive information could result in a breach of the data minimisation principle. We suggest that you should only request types of personal data that you’ve already obtained regarding the data subject.

Moving on to the second rule regarding responding to the requests without undue delay and free of charge. You might wonder what “without undue delay” actually means. What is considered “late” under the GDPR? The answer is that you must respond to the request at the latest within one month. If you don’t intend to comply with the request or where you expect a delay, you need to provide the reason for this. If the expected delay becomes a reality, you also have to communicate the reason for this, and the delay may not be longer than two months.

Whereas a request from a data subject should generally be free of charge, there are derogations to this. If you find requests from data subjects to be manifestly unfounded or excessive, for example, if they are repetitive in character, you can either refuse to act on the request or charge a reasonable fee. A request could be manifestly unfounded if the individual clearly has no intention to exercise their rights, or if the request is malicious in intent. However, remember that a case-by-case assessment is always required.

Next in line is the rule of having an appropriate process in place to respond to requests. There’s no mention in the GDPR of how your organisation is supposed to be able to respond to requests from individuals. Essentially, you should be prepared for requests both in written and oral form. To guide you further, as a matter of best practice, you are encouraged to implement a ‘data subject request procedure’ to outline how you intend to manage requests and guide your staff through this process.

Lastly, we have the rule of facilitating the exercise of data subject rights. It requires you to provide methods for facilitating and respecting data subjects’ rights. For example, making the requested data available to the individual through their user account or directing them to the correct channel to submit their request. The methods in question should be adapted to fit your organisation.

DPOrganizer’s tool makes responding to data subject requests easy by creating the case, and having a case log readily available, but also by mapping your processing operations, which would be a time-saver in identifying what data are processed, where, and how. Our Professional Services team is always here to assist you if you have any questions regarding compliance with the GDPR. You can always email my colleague Albin (albin.thelin@nulldporganizer.com). For more information on responding to requests, please have a look at the EDPB Guidelines and the ICO Guidelines.

Now that you know a bit more about how to manage data subject requests, in the following posts we’re going to discuss the actual subject matter of the request, starting with the right to access. Bye for now, and have a nice week!