The GDPR grants every individual a set of rights over their personal data. Any client, employee or user can exercise them against your company, and you are obliged to respond within the deadline.
The six rights
- Access: to know what data you hold about them and how you process it.
- Rectification: to correct inaccurate or incomplete data.
- Erasure: the "right to be forgotten", deleting data once it is no longer needed.
- Restriction: to "freeze" processing while a complaint is resolved.
- Portability: to receive the data in a reusable format or move it to another controller.
- Objection: to refuse the processing of their data, for example for marketing.
Deadlines and form
You must respond within one month, extendable to two in complex cases. The response must be free unless requests are manifestly unfounded or excessive, and you must verify the requester's identity.
Failing to handle a right on time is one of the most common reasons for complaints to the authority. Having a written procedure avoids improvising.
How to prepare
Set up a clear channel to receive requests, an internal procedure to process them and response templates. This shows diligence and reduces the risk of penalties.
At Eritia Privacidad we implement the full data-subject-rights procedure and train your team to manage it.
