The General Data Protection Regulation (GDPR) is a European Union law that governs how companies may collect and use the personal data of EU residents. It establishes standards that help ensure that this data is not stored, handled or shared in a way that would expose individuals to risk. The law also specifies how organizations must respond in case of a data breach.
A key feature of the GDPR is that it codifies a set of specific data subject rights which empower individuals to make specific data subject access requests to organizations. This article details what those requests are and how your organization is required to handle them. It also offers solutions that can help you provide prompt and accurate responses to GDPR data requests so you can avoid penalties of ten million euros or more.
What types of data are covered by the GDPR?
Under the GDPR, EU residents have specific rights concerning the personal data that organizations have about them. Key examples of personal data include:
- Basic identifying information, such as names and addresses
- Financial information, such as bank account details
- Personal characteristics, including nationality, date of birth and gender
- Health information, including details about health conditions and disabilities
- Genetic data, including DNA test results and other information about genetic makeup
- Employment information, such as employee numbers and salaries
- Online identifiers like usernames
- Behavioral data, including details about interests or online activity
- Biometric data, such as facial recognition data
- Location information
What are the stages in a data access request?
When an individual makes a data access request, the first step, of course, is for the organization to see whether the organization is storing or processing any personal data belonging to that person. If not, they need to report that negative finding to the individual, and their job is done.
On the other hand, if the organization is storing or processing data for the person, they must proceed to a second stage and process the individual’s specific request. The next section explains the types of requests and how to handle them.
What requests can individuals make to organizations under the GDPR?
Here are 6 types of requests that individuals exercising their rights under the GDPR can make and what they mean to your organization.
1. What information do you hold on me, and why?
This inquiry is founded in two rights:
- The right to be informed (Articles 13 and 14). EU residents have the right to clear and accurate details about what personal information an organization has collected about them, even if that means knowing that the company has collected no data about them.
- The right of access (Article 15). They are also entitled to know whether and how their personal data is being processed, including the categories of data collected, the purpose of the processing, retention methods and policies, to whom the data is disclosed, how long it will be stored and where the information was obtained.
2. You have incorrect information about me; I want it corrected.
This type of request is founded in the right to rectification (Article 16),whichrequires organizations to ensure that all personal data they store is accurate and up to date. Data subjects have the right to request that inaccurate personal data be corrected or incomplete data be completed.
To ensure compliance, you need tight integration across your all data systems and processes so that data updated in one system is automatically corrected across all other locations.
Request one-on-one demo: Achieving and Proving GDPR Compliance
3. I don’t want you to hold data on me anymore. Please delete it!
This type of request covers two rights:
- The right to erasure (right to be forgotten) (Article 17). A person can request that an organization remove their personal information from its records and resources and immediately cease further dissemination of the data. The company must delete all data that meets any of the following criteria:
- Was collected unlawfully
- Is no longer needed
- Was collected during the person’s childhood
- Appears online
The organization can deny the erasure request if it violates any of the following:
- The right of freedom and expression
- Reasons of public interest in the area of public health or scientific or historical research
- The establishment, exercise or defense of legal claims or a legal charge
Note that even if your company is allowed to retain a person’s data, you need to get their consent for further processing.
Read related blogpost: The Right to Be Forgotten: EU Laws and U.S. Concerns
- The right to restriction of processing (Article 18). If it is unclear whether an individual’s data must be deleted, the person can still request a temporary restriction on its processing until the company fixes the issue, informs the individual and gets consent. Complying with this GDPR right requires case-by-case examination.
4. I want to transfer the information you hold on me to another service provider.
The right to data portability (Article 20) empowers EU residents to require a company to move their personal data to another service provider. This right promotes interoperability by facilitating the transfer of user data between data controllers. It also encourages competition between digital services because users can switch between providers without losing their personal data.
Complying with this provision involves providing the data in a structured, machine-readable format that you can transmit directly to the other party.
5. Stop calling me!
Individuals have the right to object to data processing activities (Article 21), such as using their personal data for marketing or other purposes. Valid reasons for denying this type of request include demonstrating any of the following:
- There is a legitimate need for the processing.
- The request is excessive or unfounded.
- The requested data is used for public, historical or statistical purposes.
- The requested data was used or provided for the exercise of legal claims.
6. Stop allowing your automated system to make decisions that affect my legal interests.
The GDPR also confers rights in relation to automated decision-making and profiling (Article 22). If you have automated decision-making and profiling in place for personal data, you have to provide “meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.”
The three valid reasons for performing automatic processing and profiling are:
- The person gave their consent.
- The processing is necessary for the entry into or performance of a contract.
- The processing is authorized by a union or member state law applicable to the controller.
To avoid violations that might result in costly fines, ensure that employees do not process information through automated features without verifying there is a valid reason to do so.
Read related blogpost: What is GDPR: 10 Frequently Asked Questions
How can Netwrix help you respond to GDPR requests?
Netwrix’s GDPR compliance software can give you confident that you’re able to handle all these types of data requests smoothly by discovering all information you store about an individual in just a few clicks.
More broadly, Netwrix solutions can help your organization protect all of its sensitive and regulated data. You can establish strong data governance, remove inappropriate access, enforce security policies, and detect advanced threats in a timely manner to avoid the high costs of security breaches and compliance violations.
Our team of experts has a solid understanding of not just the GDPR but the California Consumer Privacy Act (CCPA) and many other data security regulations. They provide organizations with tailored, focused advice to meet their compliance needs. To learn more, sign up for a demo or download a mapping of GDPR requirements and Netwrix functionality.
Frequently Asked Questions
What is a GDPR request?
Data subject access request GDPR requirements allow individuals to ask an organization to provide a copy of the personal data it stores about them, erase their data, transfer the data to another provider, and so on. Organizations that fail to comply with these requests within the specified time period face steep fines.
What is the right of access request under GDPR?
A right of access is also known as “subject access.” This is the right individuals have to access copies of their own personal information and data, as well as supplementary data, under the protection regulation GDPR. The right is designed to empower individuals to know how and why organizations are using their data.
What does the right of access include under GDPR?
The information that data subjects have the right to access under the GDPR includes:
- The categories of personal data being processed
- How long the organization plans to store their personal information
- The recipients or categories of recipients of personal data
- Information about where the data came from
- The existence of any automated decision-making process
If any personal data will be going to a third country without adequate protection, the data subjects need to be told about the safeguards being used to protect their data.
What are the rights of data subjects under the GDPR?
Under the GDPR, data subjects have certain rights that they can exercise in relation to their personal data. These rights include:
- The right to receive all information collected about them
- The right to rectification of erroneous or incomplete data
- The right to restrict processing of their data
- The right to data portability so they can easily switch providers
- The right not to be subject to decisions that are made through only automated processing
- The right to object to the way their data is held or processed
- The right to erasure of data
Do companies need to comply with the GDPR?
Every organization that stores or processes the data of EU residents must comply with the GDPR. Failure to comply can result in fines of up to 2% of the company’s entire global turnover for the preceding fiscal year or 10 million euros, whichever is greater.
