Establish written procedures
Written procedures to comply with the rights of data subjects
It is good for companies to establish written procedures to meet the rights of data subjects in accordance with the GDPR.
Procedures are a good way to demonstrate GDPR compliance
Companies must be able to demonstrate that they comply with the rules of the GDPR and therefore it is advisable to have certain GDPR-related agreements and documents.
For example, different written procedures. In addition, written procedures can make work for employees more efficient and reduce mistakes, as it becomes clearer how and who should do what.
Eight (8) fundamental rights of data subjects under the GDPR
According to the GDPR, data subjects have, among other things, the right to:
Information (Article 13 GDPR and Article 14 GDPR)
Under the general rule, companies must inform data subjects before processing personal data. Information on the processing shall also be provided at the request of the data subject. The information is usually set out in a privacy notice.
Access (Article 15 GDPR)
Data subjects have the right to know which of their personal data a company processes and to request a copy of it. In addition, the company must provide information about the processing, such as the purpose of the processing, how long the processing takes place, what rights the data subjects have, etc.
Correction (Article 16 GDPR)
Companies must process correct and complete personal data, but it is not uncommon for incorrect personal data to be processed. For example, if a data subject changes their phone number, and it is not updated at the company. If the person contacts the company to have their personal data corrected or completed, the company shall do so.
Deletion (Article 17 GDPR)
Data subjects have the right to contact companies to have their personal data deleted. This right is also referred to as “the right to be forgotten”. In most cases, the company must do so, but there are some exceptions to deletion. For example, if the company needs to continue processing the personal data in order to comply with a legal obligation.
Restriction (Article 18 GDPR)
There are situations where data subjects have the right to have the processing of their personal data restricted. For example, while a company is investigating the accuracy of personal data, when the data subject has requested rectification.
Data portability (Article 20 GDPR)
The right to data portability means that in certain cases data subjects have the right to have their personal data transferred to another controller, such as a competitor. Please note that companies only need to do this if it is technically feasible, the processing is automated and is based on contract or consent as a legal basis.
Objection (Article 21 GDPR)
Data subjects have the right to object to processing where the legal basis is legitimate interest, in the exercise of official authority vested in them or for a task carried out in the public interest. For example, a data subject may request a company to stop direct marketing by e-mail based on legitimate interest.
Automated decision-making, including profiling (Article 22 GDPR)
Automated decision-making according to GDPR is when a decision is made without personal contact or influence. Data subjects have the right not to be subject to automated decisions which have legal consequences for them. If the data subject has given his or her explicit consent or the automated decision-making is necessary for the performance of a contract, it is permissible to conduct such automated decision.
Please note that there are even more rights in the GDPR than these eight (8) rights, which are the most fundamental. For example, the data subject’s right to withdraw consent pursuant to Article 7(3) of the GDPR. In addition, data subjects have the right to lodge a complaint with the national supervisory authority pursuant to Article 77 of the GDPR.
Can companies verify data subjects who request to have a right fulfilled?
Yes, companies should verify the identity of the data subject requesting the fulfilment of a right. This is important to ensure proper handling of the request. For example, if the personal data is disclosed to the wrong person, it constitutes a personal data breach. The same applies if personal data is erroneously deleted or changed.
Time limit for the exercise of data subject rights
When a data subject contacts a company to have a right granted, the company must always respond to the request within one month from the receipt of the request. In addition, the company should also try to handle the request within the deadline, but there may be the possibility to extend the deadline for a further two months. Please note, however, that the company must inform the data subject of the extension within the first month. One reason for extending the deadline may be that the company receives an unusual amount of requests at the same time.
In addition to written procedures to satisfy data subjects’ rights, it may be good for the company to also have procedures for:
Sharing data internally between employees
Obtaining and withdrawing consent
Social media management and photography
Respond to action taken
The company shall inform the data subject of the measures taken upon receipt of the request for the exercise of the data subject’s rights. It is also good if the company justifies its decisions and explains the process and measures taken clearly.
What can a procedure for enforcing the rights of data subjects contain?
Receipt
Include information on how and where requests can be received, making it easy for employees to know where to keep extra track. For example, email, letters, social media or the like.
Verification
Companies may need to verify that the person requesting a right is indeed the right person. It is good to include when and how such identification should take place. In addition, it is good to include how identification may not take place. It may be disproportionate to request, for example, a copy of a passport in certain cases.
Identification
Identify within which systems the personal data is processed by the company. This makes it easy to find personal data, delegate responsibility and how the personal data should be retrieved, deleted or revised in accordance with the security requirements of the GDPR.
Assessment
Not all rights apply in all situations. Therefore, it is good to specify when the rights apply. In addition, there may be exceptions to the exercise of a right. These are also good to specify in the written procedure.
Reply
Companies must respond to data subjects who request to have a right fulfilled. It is good to have ready-made response templates to facilitate and streamline the work and reduce the risk of forgetting something. Note that the answer should be easy to understand for the data subjects, not a complicated legal language to try to confuse the reader.
Documentation
Companies must be able to show that they comply with GDPR and therefore it is good to document much of the GDPR work. For example, the activities undertaken in connection with the processing of a data subject's request to have a right satisfied. Include instructions in the procedure about what should be documented, how long the documentation should be kept and where it should be stored.
Keep in mind that companies may refuse certain requests
Companies can in some cases deny a data subject who requests to have a right fulfilled. For example, if a data subject wishes to have his or her personal data erased, but the company must continue to process them in order to comply with a legal obligation.
Learn more
Procedures for onboarding and offboarding
It is during transition periods, i.e. when a person starts or ends working in a company, that the vulnerability is higher. Therefore, it is good to create good procedures for onboarding and offboarding and inform about the content of the procedure orally to minimize misunderstandings and errors. It is an important organizational security measure that many companies take.