About Data Request Forms

Most privacy laws give persons (or “data subjects”) a right to access the data you process about them, a right to request the deletion of the data if it is no longer relevant for you to use it, and a right to receive an export file of the data you process about them. There are of course also other rights but these three are, based on our experience, the most frequently submitted requests.

Data Requests Forms in Complianz

In Complianz Premium we offer you the possibility to implement a data request form in your Privacy Statement so that data subjects can make their requests in a uniform way. Underneath your contact details on your privacy statement, a new form will be published that will ask for the name and email address of the data subject and will give them the option to submit one or more requests. To enable this option, please visit the below question in the wizard:

 

Activating that data request form also creates an extra menu within your dashboard where you can handle and respond to the requests you have received.  This way you have processes in place to ensure that you can respond to a subject access request without undue delay.

In short, the most frequently used Data Requests

In most jurisdictions, you should respond within one month of receipt of the request. You may extend the time limit by a further two months if the request is complex or if you receive a number of requests from the individual.

The Right to Access

Individuals have the right to access and receive a copy of their personal data, and other supplementary information. This is commonly referred to as a data subject access request or ‘DSAR’.
Individuals can make DSARs verbally or in writing, including via social media. A third party can also make a DSAR on behalf of another person.

Handling a The Right to Access Request

  1. You should perform a reasonable search for the requested information.
  2. You should provide the information in an accessible, concise, and intelligible format.
  3. The information should be disclosed securely.
  4. You can only refuse to provide the information if an exemption or restriction applies, or if the request is manifestly unfounded or excessive.

More information about how to handle a Request to Access

The Right to Erasure

Under most privacy laws individuals have the right to have their personal data erased if:

  1. the personal data is no longer necessary for the purpose which you originally collected or processed it for;
  2. you are relying on consent as your lawful basis for holding the data, and the individual withdraws their consent;
  3. you are relying on legitimate interests as your basis for processing, the individual objects to the processing of their data, and there is no overriding legitimate interest to continue this processing;
  4. you are processing the personal data for direct marketing purposes and the individual objects to that processing;
  5. you have processed the personal data unlawfully (ie in breach of the lawfulness requirement of the 1st principle);
  6. you have to do it to comply with a legal obligation; or
  7. you have processed the personal data to offer information society services to a child.

You can refuse to erase the information if an exemption or restriction applies, or if the request is manifestly unfounded or excessive.

More information about how to handle a Request to Erasure

The Right to Data Portability

The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services.  It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability.

Doing this enables individuals to take advantage of applications and services that can use this data to find them a better deal or help them understand their spending habits.The right only applies to information an individual has provided to a controller.

You can refuse to provide the information if an exemption or restriction applies, or if the request is manifestly unfounded or excessive.

More information about how to handle a Request to Data Portability

Contains public sector information licensed under the Open Government Licence v3.0 from the UK Information Commissioner’s Office website. 

Join 1M+ users and install The Privacy Suite for WordPress locally, automated or fully customized, and access our awesome support if you need any help!

Complianz has received its Google CMP Certification to conform to requirements for publishers using Google advertising products.