Skip to Content

GDPR - Information to be Provided Where Personal Data Have Not Been Obtained from the Data Subject - Data Subjects Rights Operational Procedures

305  Matthew Burdick September 27, 2022  Information to be Provided Where Personal Data Have Not Been Obtained from the Data Subject

Recital - 59.
Procedures for the Exercise of the Rights of the Data Subjects
Executive Summary
Explain to your data subject: What you collect, how you collect it, why you collect it, how it is used, and how long you keep it. It is also advisable to give them your DPO contact information if they have questions or want to review their data.
Recital Text
Modalities should be provided for facilitating the exercise of the data subject's rights under this Regulation, including mechanisms to request and, if applicable, obtain, free of charge, in particular, access to and rectification or erasure of personal data and the exercise of the right to object. The controller should also provide means for requests to be made electronically, especially where personal data are processed by electronic means. The controller should be obliged to respond to requests from the data subject without undue delay and at the latest within one month and to give reasons where the controller does not intend to comply with any such requests.
 
Recital - 62.
Exceptions to the Obligation to Provide Information
Executive Summary
Explain to your data subject: What you collect, how you collect it, why you collect it, how it is used, and how long you keep it. It is also advisable to give them your DPO contact information if they have questions or want to review their data.
Recital Text
However, it is not necessary to impose the obligation to provide information where the data subject already possesses the information, where the recording or disclosure of the personal data is expressly laid down by law or where the provision of information to the data subject proves to be impossible or would involve a disproportionate effort. The latter could in particular be the case where processing is carried out for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. In that regard, the number of data subjects, the age of the data and any appropriate safeguards adopted should be taken into consideration.
 
Recital - 64.
Identity Verification
Executive Summary
Explain to your data subject: What you collect, how you collect it, why you collect it, how it is used, and how long you keep it. It is also advisable to give them your DPO contact information if they have questions or want to review their data.
Recital Text
The controller should use all reasonable measures to verify the identity of a data subject who requests access, in particular in the context of online services and online identifiers. A controller should not retain personal data for the sole purpose of being able to react to potential requests.
Executive Summary
Operational procedures should be created to address the rights that data subjects are allowed to exercise such as requesting access to review, modify, or erase personal data as well as exercising their right to object. Responses to such requests need to happen within one month. Additional procedures should be created to verify the data subject who is requesting the data.
Not Rated
Secure Code