What should be kept in mind when processing personal data?
Execution of requests by data subjects concerning their rights as set out in Article 15 – 23 GDPR (including the so called „the right to forget”) is one of the major challenges faced by data controllers. In order to properly fulfil this obligation, a number of basic rules relating to the receipt and processing of applications must be observed.
- Verify the identity of the person making the request
Requests by data subjects may be made through various channels – including electronic and personal. The request itself often does not indicate who is actually the author, especially when it is sent from an e-mail address unknown to the administrator. It may also be the case that a request for a copy of the data or a transfer is in fact an attempt to defraud third parties.
In order to avoid unauthorized disclosure or deletion of data, in case of doubts as to the identity of a person, additional identification of the person should be made, e. g. based on data already held by the administrator. In the case of persons making a personal request, they may be asked to identify themselves (without downloading a copy of the document). E-mail applicants may be asked to provide information that the administrator already has in their database (phone number, customer number, date of birth, etc.).
If the request is made by an attorney, it is necessary to ask for a power of attorney document and to check whether its scope actually authorises the request on behalf of the data subject.
Attention! The verification of the identity of the person making the request should not lead to an excessive collection of personal data which are not processed by the controller when the request is received (e.g. PESEL number to unsubscribe from the newsletter).
- Keep an eye on the deadline for responding to your request
As a rule, the controller has one month to inform the data subject about the execution of the request or refusal to execute it. The impact of the request should therefore be recorded in the register of requests of the data subject, so that each person handling the request knows how much time he or she has to complete the task. Undertaking actions may require cooperation between different departments of the organisation (e. g. The deadline is not met, which creates the risk of exceeding the prescribed period.
If necessary, the deadline for reply may be extended by a further 2 months due to the complexity of the request or the number of requests. The data subject must be informed about the extension of the time limit and why the case requires longer proceedings. The information should be provided within one month of the request.
As it may be the case that the request is received not directly by the controller but by the processor, it is advisable to regulate in detail in the contract of entrustment how and when the request is to be transmitted, so that the controller knows when to count on the one-month deadline for reply and has sufficient time to decide on the execution of the request.
- Adjust the language and form of response to the data subject’s request to the recipient
The rules of the GDPR require the administrator not only to respond to the request but also to formulate it properly – in clear and simple language in a concise, transparent, understandable and easily accessible form. For this purpose, the administrator may prepare guidelines or a template for the response to a request, e.g. using pictograms. If the request is rejected, the administrator’s response must necessarily include a clear indication of the possibility of lodging a complaint with the supervisory authority (PUODO) and seeking legal remedies before a court.
A reply to a data subject’s request does not always have to be given in writing. Other forms of contact, including electronic ones, are also acceptable, especially if the request was made in the same way. At the request of the data subject, a reply may also be given orally. In such a case, her identity must be confirmed. If a form of reply other than written has been chosen, in order to implement the principle of accountability, it is worth noting this date and manner of reply in the register of requests from data subjects.
As the implementation of data subjects’; requests is a rather complicated process, especially in larger organisations, it is a good solution to introduce instructions for the receipt and implementation of requests, including the recording of actions taken, so that the controller can demonstrate the implementation of its obligations in accordance with personal data protection regulations.