GDPR Request Closing Letter Template
Introduction
Under the GDPR, each person whose personal data is collected by an organization has the right to request that it erases, rectifies, or stops the processing of their data. Any such request, besides the DSAR, must be responded to once the DPO (or their delegate) have complied with the request. The letter aims to let the data subject know that their rights have been adhered to, that the organization is accountable, and that the matter is considered closed.
The letter must be written in simple everyday language, and a copy must be kept for audits’ sake (internal or external). When appropriately used, the letter will adhere to the GDPR’s requirements regarding the DPOs, or delegate thereof, in response to a request by the data subject (except for a DSAR). Each time a data subject submits a request that the organization must comply with under the GDPR statutes, it must notify the submitter that their request was handled.
Scope and Purpose
When a request has been submitted, the DPO (or their delegate) are required to -
1. Review the request.
2. Check that the personal data mentioned exists on the organizations’ servers.
3. If they are: Validate that the requester is indeed the owner of the data or is a proxy of the legitimate end-user.
4. Complete the request to the best of your ability.
5. If there is some legal barrier preventing the completion of the request, the requester must be notified.
6. Please record the request, its response, and any further communication with the requester. This is required for audits.
The data controller must comply with the request under the GDPR unless it can’t for several reasons. The request may ask for any number of actions -
1. Erase the personal data of the end-user
2. Rectify personal data which is deemed to be a mistake
3. Stop or restrict the processing of personal data
Required Fields in the Letter
The rectification response should include the following fields -
1. The details of the DPO or their delegate.
2. The basic details of the requester.
3. A summary of the actions taken as a result of the request.
4. Which personal data was processed.
5. Inform the end-user of their right to appeal the rejection decision to the supervisory authority.
The Obligations of the Data Controller
1. Create a uniform response to requests so that they all receive the same response format.
2. Ascertain that the request is feasible, and if not, explain why.
3. Communicate to the end user that their request was completed or that they may appeal the decision.
Term Definitions
What is a Data Controller?
An organization or person who determines the use of the collected personal data from the data subjects. The data controller owns the collected personal data, decides how it will be processed and bears the sole responsibility for safekeeping it.
What is personal data?
Any unique data which relates to an individual data subject. This can include such information as Name, phone number, Email address, ID number, health records, political opinions, IP address, etc.
What is the processing of personal data?
Any act performed on the collected personal data of all the organizations’ data subjects. This may include such actions as storing the data, analyzing it to extract insights or deleting it once it’s no longer required.
What is a data subject (also known as an end-user)?
Any person who created a unique username on the organization’s website, thus giving them the possibility of using that username to perform specific tasks and use features offered on the website.
Who is the DPO?
The Data Protection Officer is the main stakeholder of the organization for all aspects of GDPR compliance. They are responsible for making sure that the GDPR guidelines are adhered to.
What is a DSAR (Data Subject Rights Request)?
Since the creation of the GDPR process, each data subject (customer) of an organization has the right to request to know which of their personal information the organization is collecting, how it’s being analyzed, if it’s sold to other entities and who has access to their personal information.
Once the data subject understands which personal information is being collected, they can exercise further rights such as deletion, change of scope, limitations, etc. Failure to adhere to the request may result in a non-compliance fine.
Key Takeaways / Conclusions
1. The DPO (or their delegate) is responsible for checking the request and replying to it .
2. In case of a rejection, the response must explain in clear, everyday language why it was rejected.
3. The response should have a case number attached to it for further discussions.
4. The response should spell out which personal data was changed as a result of the request.