Data Subject Rights Management
1.1 Purpose of the document
The General Data Protection Regulation (Regulation EU 2016/679) (hereinafter, also, “Regulation” or “GDPR”) allows data subjects to exercise the following rights in relation to the Data Controller:
- Right of access (Art. 15 GDPR): to obtain confirmation as to whether or not personal data are being processed;
- Right to rectification (Art. 16 GDPR): to request the rectification or completion of the data provided, when inaccurate or incomplete;
- Right to erasure (Art. 17 GDPR): to request the erasure of the data processed (e.g. when they are no longer necessary for the purposes for which they were collected; or in case of withdrawal of consent; or where the processing is unlawful)
- Right to restriction of processing (Art. 18 GDPR): so that the data processed by the controller is marked in order to restrict their processing in future;
- Right to data portability (Art. 20 GDPR): in order to receive personal data, or to have them transmitted to another controller, in a structured, commonly used and machine-readable format.
- Right to object (Art. 21 GDPR): right to object, at any time, to processing of data, unless there are legitimate, overriding grounds for the processing (e.g. for the exercise or defence of legal rights).
- Right to withdraw consent (Art. 7 GDPR): right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
This procedure aims at regulating:
- the overall management of requests by data subjects with regard to rights under Section III of the GDPR (“Rights of data subjects”);
- the roles and responsibilities of the players involved in the procedure;
- regulatory requirements and limits on the exercise of the various rights under the GDPR;
- specific methods of response to data subjects who have exercised one of their rights under the GDPR.
1.2 Identification of the Data Subject
The Controller, by means of its Data Managers, shall adopt all reasonable measures to confirm the identity of a data subject who is exercising rights under the GDPR, especially with regard to online identification.
If the Controller has reasonable doubts as to the identity of the data subject, it may request additional information to confirm their identity (Art. 12(2) of the GDPR). If the data subject duly provides such information, the Controller cannot refuse to act on the request.
If it proves necessary to request further information in order to identify the data subject, the Controller may not collect personal data that are not relevant or necessary in reinforcing the link between the data subject and the personal data to which the request relates.
If the request to exercise a right is made orally, the Controller shall ask the data subject to submit the request in written form.
The data subject is not entitled to request access to the personal data of third parties, relatives or friends/acquaintances, except where specifically authorized.
2. General Operating Procedure
The operating procedure for management of the rights of data subjects, as based on Article 12 of the GDPR, provides for the following steps which apply to all of the data subject’s rights:
- a):Exercise of rights by data subjects and receipt of the request
Data subjects may exercise their rights towards the Controller entirely free of charge, also through a third party authorized by the data subject and in possession of a duly signed mandate/proxy.
The most widespread forms for use by the data subject in sending correspondence are registered mail and e-mail.
4ward S.r.l. has set up a priority channel (firstname.lastname@example.org ) for the receipt of requests from data subjects managed by the Administrative Department.
If the request originates from another channel, the recipient shall promptly inform the requester to address the request by means of the priority channel.
The Administrative department, which receives the request by means of the priority channel, will forward the request to the Data Manager in charge of the processing activity. Upon receipt of the request, the Data Manager shall assess whether the request should be considered as the exercise of a right concerning personal data or not and whether the request has been allocated to the correct area. If the result of the preliminary assessment is negative, the Data Manager shall reallocate the request to the correct business function.
The Data Manager is also in charge for checking the identity of the requester on the behalf of the Data Controller. If the Data Manager has reasonable doubts about the identity of the requester, he/she shall immediately contact the CEO who will eventually ask the requester for more information.
The Data Manager and the CEO, eventually supported by the IT Department and by, shall also ponder the feasibility of the request.
- b): Processing of the response
If the identity of the requester cannot be proved or the request is deemed unfounded or excessive, the Data Manager shall contact the CEO who, eventually supported by the Administrative Department, shall inform the requester without undue delay and, at the latest, within one month of receipt of request that the request has been rejected. The CEO shall explain the reasons for not taking action in response to the requests.
On the other hand, if the request is legitimate the Data Manager, eventually supported by the persons authorized to process data and by the IT department, shall handle the response and make sure that the requester receives an appropriate feedback without delay. Once the Data Manager has collected all the information necessary in order to process the request, he informs the CEO.
The Data Manager in charge of the processing and the CEO who will coordinate the processing of the response and the by collecting all the information necessary to make sure that the requester receives an appropriate feedback.
- c): Response to the data subject
Pursuant to Art. 12.3 of the GDPR, the Data Controller shall respond to the data subject’s requests, without delay and, in any case, within one month.
This period may be extended by two months, if necessary, depending on the complexity and number of the requests made by the data subject; in such cases, the Controller shall inform the data subject of the need for the extension, together with the reasons for the delay.
Based on the right exercised, the data subject is given an immediate response by e-mail when they have exercised their rights by that method, unless otherwise indicated by them.
It is important to point out that the Controller may refuse to satisfy the request made by the data subject, if:
- it demonstrates it is not in a position to identify the data subject (Art. 12.2 GDPR);
- the request is manifestly unfounded or excessive (e.g. because of its repetitive and spurious nature) (Art. 12.5 GDPR). In such cases, the controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.
If the Controller does not take action on the request of the data subject, it shall inform the data subject without delay and, at the latest, within one month of receipt of the request, of the reasons for not taking action and on the possibility of lodging a complaint with a Supervisory Authority and seeking a judicial remedy.
3. Roles and Responsibilities
The main roles and responsibilities involved in the management of the rights of the Data Subjects are hereunder described:
a) Persons authorized to process personal data:
- Receive requests from Data Subjects via unofficial communication channels and they should promptly inform the requestor to address the request via the official channel
- support their Data Manager in carrying out the activities needed to give a feedback to the requester.
b) Data Manager
- Is responsible for the management of the requests of Data Subjects which refer to personal data processed by his/her function;
- Checks the identity of the Data Subject;
- Makes researches on the personal data of Data Subjects, by checking database and archives that are under his/her responsibility;
- Performs the actions needed to grant that Data Subjects may exercise their rights. This may include engaging the IT department whenever necessary;
- Prepares the forms that shall be used to notify the Data Subject and forwards it to the CFO for an additional check.
c) Chief Executive Officer (CFO):
- The CFO is informed / consulted during the processing and response phase, especially in case of problems regarding specific requests that cannot be managed ordinarily based on this procedure.
- Coordinates Data Managers in the collection of information that should be sent to the requestor;
- Performs checks on the information collected by the Data Manager;
- Makes sure that the Requestor receives a feedback within the prescribed deadlines;
- Provides, when needed, legal advices on the feedbacks that should be delivered to Data Subjects;
- Assists the Data Controller in the drafting of internal and external official communications and in maintaining relations with Data Subjects and with the Supervisory Authority.
d) IT Department
- Supports Data Managers in processing those requests that are more complex from an IT point of view (e.g. data portability, erasure).
e) Administrative Department
- Receives requests from Data Subjects through the official communication channel email@example.com and forwards it to the Data Manager and the Marketing Function in charge for the processing activity;
- Supports the CFO in providing a feedback to the requester.
4. Record of requests
In order to ensure that requests are proficiently managed and in order to be able to prove compliance with GDPR, 4ward S.r.l retains a record of requests received by data subjects.
The record of requests shall include:
- The name of the requester;
- The type of request;
- The date of receipt of the request;
- The date when 4ward S.r.l. sent the feedback to the data subject.
- Information concerning the actions that have been performed in order to address the request.
Information provided by the Controller to the data subject and every communication and any action taken shall be provided free of charge.
Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the Controller may either:
- charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested or
- refuse to act on the request.