Responding to Data Subject Rights
Last modified: January 13th, 2022
This page is regularly updated to reflect continued monitoring, accuracy and comprehensiveness.
Introduction
Within the meaning of GDPR, “Personal data” means any information relating to an identified or identifiable natural person (“data subject”). GDPR grants data subjects a range of specific data subject rights they can exercise, with exceptions. Data subject requests are not new, but GDPR introduced some changes to further protect their rights.
GDPR compliance among others means enabling the exercise of these rights. Failure to respond to DSRs can leave organizations open to the higher level of administrative fines under the GDPR: €20 million or up to 4% of annual global turnover – whichever is greater.
Data Subject Rights
The right to be informed
The right of access
The right to rectification
The right to erasure
The right to restrict processing
The right to data portability
The right to object
Rights in relation to automated decision making and profiling.
What is Data Subject Rights Request?
Data Subject Rights (DSRs) request is request about (and identifying) a living person, made by that person or by a third party with appropriate authority acting on behalf of the person to exercise their rights, governed by Article 15 of the GDPR.
Under Article 12(2) of the GDPR, comply with a DSR without undue delay and, in any event, within one month (i.e. a calendar month) of receiving a request from a data subject or their representative. Any refusal of a DSR must also meet this timescale.
Taking account of the complexity and number of requests made by the data subject, the period for responding may be extended by a further period of two months. Data subject must be informed of any extension, with reasons, within one month of receipt of the request.
Data Subject Rights Request Handling Procedure
DS Requests under GDPR apply to personal data/information/files/records relating to data subjects. The following general points apply to all of the requests described in this document and are based on Article 12 of the GDPR:
- We have to provide requested Information to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
- Data subjects can make a request verbally or in writing. It can also be made to any part of Vendasta (including by social media) and does not have to be to a specific person or contact. It does not have to include the title of the request formally or mention Article number of the GDPR, as long as it is clear that the data subject is making a request about it’s own personal data.
- We have a legal responsibility to identify data subject ( if a representative is acting on behalf of data subject then we have a legal responsibility to verify it’s authorization as well). In case of doubt about identity, we may request further information to establish it.
- We must act on a request from a data subject, unless we are unable to establish their identity.
- We must provide information without undue delay and within a maximum of one month from the receipt of the request.
- The response timescale may be extended by up to two further months for complex or a high volume of requests – the data subject must be informed of this within one month of the request, and the reasons for the delay given.
- If a request is made via electronic form, the response should be via electronic means where possible, unless the data subject requests otherwise.
- If it is decided that we will not comply with a request, we must inform the data subject without delay and at the latest within a month, stating the reason(s) and informing the data subject of their right to complain to the supervisory authority.
- Generally, responses to requests will be made free of charge, unless they are “manifestly unfounded or excessive” (Article 12 of the GDPR), in which case we will either charge a reasonable fee or refuse to action the request but the data subject must be informed of this within one month of the request, with the reasons.
Important to Note:
Pursuant to Article 29, the GDPR simply states to use “all reasonable measures” to verify the identity of requestor and ensure to not disclose personal data to the wrong person, infringe any data subject rights, or make it too difficult for the data subjects to exercise their rights, any of which would violate the GDPR.
Data Subject Rights Request Procedural Flowchart
The procedure for responding to requests from data subjects is set out in the flowchart below. The specifics of each step in the procedure may vary according to the type of request involved.
Figure 1
Figure 2 … Cntd.
Figure 3 … Cntd.
Summary of Data Subject Rights by Lawful Basis of Processing
The following table shows which rights of the data subject are relevant to each basis of lawful processing. It should be used as a general guide only, as the specific circumstances may affect the validity of the request.
| Right of the data subject | Basis of lawful processing | |||||
|---|---|---|---|---|---|---|
| Consent | Contractual | Legal Obligation | Vital Interests | Public Interests | Legitimate Interests | |
| Withdraw consent | ||||||
| Be informed | ||||||
| Access | ||||||
| Rectification | ||||||
| Erasure/forgotten | ||||||
| Restrict processing | ||||||
| Data portability | ||||||
| Object | N/A | |||||
| Automated decision making and profiling | N/A | |||||
Note
All of the above assume that:
- the personal data are being lawfully processed
- The personal data are necessary in relation to the purposes for which they were collected or otherwise processed
If this is not the case, then further investigation must be made regarding the validity of the request.