GDPR Confirmation of Data Subject Rights Request Template
Introduction
The DSRR grants a data subject the right to access their personal data which is being collected, stored, and processed by an organization. They can also request to rectify or erase incorrect information, restrict its processing, and prohibit any auto-decision-making of their personal information. Requesting any of the above is achieved by submitting a DSRR.
Scope and Purpose
The requesters who exercise their right to understand what the organization is doing with their personal data do so to make informed decisions. These decisions can be a request to dispose of their personal data or parts of it. The response also provides records for any audit (internal or external).
The DSRR should include the following fields –
1. The details of the responder (or data controller)
2. The basic details of the data subject (end-user)
3. Confirmation that the personal data of the requester is indeed being collected.
4. Confirmation that the personal data of the requester is indeed being manipulated.
5. Confirmation that the personal data of the requester is indeed being sold to third party entities (inside and outside of the EU)
6. Confirmation that the personal data of the requester will be stored for X months.
7. Confirmation that the personal data of the requester has automation processes allocated to it.
Examples of Processed Personal Data
Attributes -
1. Name
2. Phone number
3. Email address
4. IP address
5. ID number
6. Marital status
7. Number of children
8. Annual income
9. Political opinions
10. Religious beliefs
11. Sexual orientation
Obligations of the Data Controller
1. Notify the data subject regarding the outcome of their DSRR.
2. In case of their DSRR being rejected: explain why this decision was reached, and notify them of their right to appeal this decision with the regulatory authority of their respective country.
3. Explain to the data subject which measures are being taken for their personal data to remain out of the hands of malicious entities.
4. Inform the data subject who has access to their personal data.
5. Notify the data subject exactly how long they plan to store their personal data.
6. Tell the data subject which departments within the organization have access to their personal data.
7. Advise which 3rd party data controllers or processors have access to their personal data and which measures they are taking to keep their personal data safe and secure.
Term Definitions
What is a data subject (also known as an end-user)?
Any person who created a unique username on the organization’s website, thus giving them the possibility of using that username to perform certain tasks and use features offered on the website.
What is personal data?
Any type of unique data which relates to an individual data subject. This can include such information as Name, phone number, Email address, ID number, health records, political opinions, IP address, etc.
What is the processing of personal data?
Any act that is performed on the collected personal data of all the organizations’ data subjects. This may include such actions as storing the data, analyzing it in any way to extract insights or deleting it once it’s no longer required.
What is a DSRR (Data Subject Rights Request)?
Since the creation of the GDPR process, each data subject (customer) of an organization has the right to request to know which of their personal information the organization is collecting, how it’s being analyzed, if it’s sold to other entities and who has access to their personal information. Once the data subject understands which personal information of is being collected, they can then exercise further rights such as deletion, change of scope, limitations, etc. Failure to adhere to the request may result in a non-compliance fine.
Key Takeaways / Conclusions
1. The response to the DSRR should take no longer than one month, however in complex queries / requests, this timeline can be extended.
2. Most organizations don’t charge a fee for responding to a DSRR; however in certain cases, such as excessive or repetitive requests, a token fee can be requested.
