Exercising the rights of data subjects, alongside the obligation to provide information, is one of the fundamental responsibilities of a data controller. The catalogue of rights contained in Articles 15-22 of the GDPR includes the right to access, rectify, erase, restrict processing, transfer, object, and not be subject to decisions based solely on automated processing (profiling) or to lodge a complaint with a supervisory authority. However, before an individual exercises their rights, the controller should be properly informed of them, for example, through an information clause, in such a way that the controller can later demonstrate compliance with this obligation (accountability principle).

Practical issues that may arise are related to verifying the identity of an individual requesting, for example, access to data held by the controller. When responding to this request, it would be necessary to verify the data being collected and then – for verification purposes – request, for example, a residential address or telephone number. Data controllers typically have procedures in place (e.g., a list of questions, verification of the email address from which the request originates) that allow for risk elimination and proper verification.

Example: A person contacted the data controller and requested data regarding the duration of their gym stay as part of a purchased package, their contact details, and other information held by the controller. In the email, the person provided only the card number they received upon registration. In this situation, appropriate verification of the requester is necessary to prevent personal data from being transferred to an unauthorized party.

Responses to submitted requests are typically provided in the same format in which the inquiry was received. If the data subject submitted their request electronically, the information is also transmitted electronically, to the extent possible, unless the data subject requests a different format, such as written or oral. While electronic and written forms should not pose any significant problems, an oral response may not always be the best solution. This requires verification of the individual during the conversation and subsequent evidence of the response (accountability principle).

The response deadline is one month and may be extended by another two months, provided the data subject is informed of this, along with the reason for the delay. Fulfilling requests, such as the right to delete data (the right to be forgotten), may pose challenges, including organizational and technical ones, especially when data is collected in multiple locations (outsourcing of archiving services, processing data on electronic and paper media, or multiple processing entities).

In practice, the controller may experience many uncertainties regarding whether and which requests should be implemented. If it is impossible to deduce the exact request of the data subject, the controller should assist them in specifying it appropriately. Furthermore, the right to erasure is not always justified, especially when continued processing is justified by an ongoing contractual relationship, the controller's interest, or the establishment, exercise, or defense of legal claims.

When assessing the above aspects, the controller should bear in mind that data subjects have the right to lodge a complaint with the supervisory authority (the President of the Personal Data Protection Office), which may initiate control proceedings, oblige the controller to send additional information and explanations, and, consequently, impose a fine for the identified violations.

Legal status as of: October 27, 2021.

This article is for informational purposes only and does not constitute legal advice.


|

    Have any questions? Contact us – we'll respond as quickly as possible.

    Post Views: 6