GDPR For Small Businesses - Part 2: Data Subject Rights
In our previous post, we looked at the data protection basics that SMEs need to understand as part of the journey towards compliance with the GDPR. Having covered what personal data is, what is considered sensitive data, or what the key principles of the GDPR are, we move on to Data Subject Rights and how your organization can respect the rights granted by the GDPR to individuals.
According to the GDPR, data subjects have the following rights:
- Right of Access: Data subjects have the right to obtain confirmation as to whether or not personal data concerning them is processed, and where that is the case they have the right to request and get access to that personal data.
- Right to be Forgotten: Officially called the “Right to Erasure”. In certain cases, data subjects have the right to obtain the erasure of their personal data.
- Right to Data Portability: Data subjects have the right to receive their personal data from data controllers in structured format and they have the right to (let) transmit such personal data to another controller.
- Right to Restriction of Processing: Under GDPR, data subjects have the right to obtain the restriction of processing, applicable for a certain period and/or for certain situations.
- Right to Object: In certain cases, data subjects have the right to object to processing of their personal data, including with regards to profiling. They have the right to object to further processing of their personal data insofar as such data has been collected for direct marketing purposes.
- Right to Rectification: Data subjects have the right to obtain the rectification of inaccurate personal data and they have the right to provide additional personal data to complete any incomplete personal data.
- Right to Reject Automated Individual Decision-Making: Data subjects have the right to not be subject to a decision based solely on automated processing.
The EDPB’s Data Protection Guide for Small Businesses includes a series of practical examples for each of the data subject rights that individuals have under the GDPR. You can find these by going here.
Checklist of what to do concerning data subject rights
- Be prepared: Develop systems and procedures to respond to data subject rights requests and train your staff to integrate data subject rights requests into your internal workflows.
- Facilitate the exercise of rights: Make it easy for data subjects to know what their rights are and how to contact you to exercise them.
- Know your data flows: Keep your register up to date to rapidly identify the data you process and to locate and retrieve information efficiently.
- Answer within 1 month: Always answer a data subject request within one month. If you need additional time to answer or if you cannot comply with the request: inform the data subject of this within the one month period.
- Pass it on: When you receive a request concerning personal data you have transferred to other recipients, do not forget, if need be, to inform the recipients of the result of the request.
- Document: Keep track of requests from data subjects, and record your answers, also keep track of your reasoning when you do not reply to a request.
How to handle data subject rights request
- communicate with data subjects in a clear and understandable language;
- facilitate the exercise of these rights, in particular via electronic means;
- you should respond to an individual’s access request in the same way the request was made, or in the way in which the data subject specifically asked for a response;
- respond within the given time frame (1 month);
- if you need more time, you may extend this by 1 more month but you have to inform the data subject;
- if the request is manifestly unfounded or excessive, and you can prove this, you are allowed to either charge a reasonable fee or refuse to grant the request;
- if you have doubts about the identity of the data subject, you are allowed to request for additional information to confirm their identity;
- if you refuse a data subject request you have to inform the requester of this within 1 month of the request. In addition, you must inform the data subjects of the possibility of lodging a complaint with their national data protection authority and seeking a judicial remedy.
- you cannot charge fees for responding to data subject requests, however if a request is manifestly unfounded or excessive you are allowed to charge a fee but have to inform the data subject beforehand to allow them to withdraw their request.
In the next part of this Guide we will take a look at how you can be compliant with the GDPR. To view the first part of this Guide, click here. Additionally, you can read our overview of the GDPR by navigating to our website’s Resources section where you will find it listed among the other privacy regulations Clym supports currently.
For your convenience, here is a direct link to our EU GDPR Overview.