Responding to Data Subject Rights

line

Last modified: January 13th, 2022
This page is regularly updated to reflect continued monitoring, accuracy and comprehensiveness.

DSR procedure
Back to GDPR

Introduction

Within the meaning of GDPR, “Personal data” means any information relating to an identified or identifiable natural person (“data subject”). GDPR grants data subjects a range of specific data subject rights they can exercise, with exceptions. Data subject requests are not new, but GDPR introduced some changes to further protect their rights.

GDPR compliance among others means enabling the exercise of these rights. Failure to respond to DSRs can leave organizations open to the higher level of administrative fines under the GDPR: €20 million or up to 4% of annual global turnover – whichever is greater.

Data Subject Rights

The right to be informed

The right of access

The right to rectification

The right to erasure

The right to restrict processing

The right to data portability

The right to object

Rights in relation to automated decision making and profiling.

Learn about data subject rights →

What is Data Subject Rights Request?

Data Subject Rights (DSRs) request is request about (and identifying) a living person, made by that person or by a third party with appropriate authority acting on behalf of the person to exercise their rights, governed by Article 15 of the GDPR. 

Under Article 12(2) of the GDPR, comply with a DSR without undue delay and, in any event, within one month (i.e. a calendar month) of receiving a request from a data subject or their representative. Any refusal of a DSR must also meet this timescale.

Taking account of the complexity and number of requests made by the data subject, the period for responding may be extended by a further period of two months. Data subject must be informed of any extension, with reasons, within one month of receipt of the request.

Data Subject Rights Request Handling Procedure

DS Requests under GDPR apply to personal data/information/files/records relating to data subjects. The following general points apply to all of the requests described in this document and are based on Article 12 of the GDPR:

  1. We have to provide requested Information to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
  2. Data subjects can make a request verbally or in writing. It can also be made to any part of Vendasta (including by social media) and does not have to be to a specific person or contact. It does not have to include the title of the request formally or mention Article number of the GDPR, as long as it is clear that the data subject is making a request about it’s own personal data.
  3. We have a legal responsibility to identify data subject ( if a representative is acting on behalf of data subject then we have a legal responsibility to verify it’s authorization as well). In case of doubt about identity, we may request further information to establish it.
  4. We must act on a request from a data subject, unless we are unable to establish their identity.
    1. We must provide information without undue delay and within a maximum of one month from the receipt of the request.
    2. The response timescale may be extended by up to two further months for complex or a high volume of requests – the data subject must be informed of this within one month of the request, and the reasons for the delay given.
  5. If a request is made via electronic form, the response should be via electronic means where possible, unless the data subject requests otherwise.
  6. If it is decided that we will not comply with a request, we must inform the data subject without delay and at the latest within a month, stating the reason(s) and informing the data subject of their right to complain to the supervisory authority.
  7. Generally, responses to requests will be made free of charge, unless they are “manifestly unfounded or excessive” (Article 12 of the GDPR), in which case we will either charge a reasonable fee or refuse to action the request but the data subject must be informed of this within one month of the request, with the reasons.

Important to Note:

Pursuant to Article 29, the GDPR simply states to use “all reasonable measures” to verify the identity of  requestor and ensure to not disclose personal data to the wrong person, infringe any data subject rights, or make it too difficult for the data subjects to exercise their rights, any of which would violate the GDPR.

Data Subject Rights Request Procedural Flowchart

The procedure for responding to requests from data subjects is set out in the flowchart below. The specifics of each step in the procedure may vary according to the type of request involved.

Figure 1

DSR Procedure Figure 1

Figure 2 … Cntd.

DSR Request Procedure Figure 2

Figure 3 … Cntd.

DSR Request Procedure Figure 3  

Summary of Data Subject Rights by Lawful Basis of Processing

The following table shows which rights of the data subject are relevant to each basis of lawful processing. It should be used as a general guide only, as the specific circumstances may affect the validity of the request.

Right of the data subject Basis of lawful processing
Consent Contractual Legal Obligation Vital Interests Public Interests Legitimate Interests
Withdraw consent
Be informed
Access
Rectification
Erasure/forgotten
Restrict processing
Data portability
Object N/A
Automated decision making and profiling N/A
Note

All of the above assume that:

  1. the personal data are being lawfully processed
  2. The personal data are necessary in relation to the purposes for which they were collected or otherwise processed

If this is not the case, then further investigation must be made regarding the validity of the request.