Some of you have already received some: inquiries from data subjects who would like to know what personal data your company has stored about them, have their data deleted or assert other data subjects’ rights. Articles 13 to 21 of the GDPR deal with this matter, from the right of informationto the “right to be forgotten” (erasure)and the right to object (“opt-out”). Here are the five most important to-do’s you should consider when dealing with inquiries from data subjects:
- Respond to the request within the legal period of 30 days. Failure to respond to an inquiry may result in a fine.
- Sensitize all employees so that they know what to do when confronted with requests from data subjects.
- Develop a process for responding to requests from data subjects at an early stage. A concept for the rights of the data subjects might be helpful in this matter.
- Implement a procedure to verify the identity of the person concerned and check in advance to what extent your company is obliged to provide the requested information.
- Check whether deletion requests conflict with legal retention obligations. In this case, you will have to answer, but you can reject such requests with a good reason.
ePrivacy provides a checklist about the most important to-do’s in dealing with the rights of the data subjects – please contact us for further advice.