GDPR Response on Consent Withdrawal - Restriction Request Template - Accepted
Introduction
One of the main benefits of the GDPR is that it requires the organizations to request the consent of their customers (data subjects) before they can start to collect, analyze, and store their personal information. This usually happens when the customer opens a user account with the organization or tries to perform any action on their website. The GDPR also stipulates that even after giving consent, the end-user can request to withdraw their consent fully or partially to collect and use their personal data. This request needs to be done formally, and the organizations are required to provide this feature.
The DPO can use this template to comply with the GDPR statutes regarding the withdrawal or restriction of the consent form signed by the organizations’ end-users. Once the consent form has been signed, the organization is within its boundaries to collect, analyze and sell the personal information of its customers. The end-users have the right to withdraw their consent, either completely or partially. The filled-in consent letter needs to be kept in the organization's archive for audit purposes.
Scope and Purpose
When a request has been submitted by a data subject or their proxy, the DPO (or their delegates) are bound to check that the requesters’ personal information is indeed stored on the servers of the organization. If the result is affirmative, then the next step is to check whether there is any legal basis for rejecting the request. If there isn’t, the next step is to make the best efforts to comply with the request within an acceptable period. Withdrawal of consent will not affect the lawfulness of the consent processing prior to the withdrawal.
Once a withdrawal/restriction request has been submitted, the data controllers are required to -
1. Check that the personal data mentioned exists on the organization's servers and that it’s as described in the request.
2. If it is, Validate that the requester is indeed the owner of the data or is a proxy of the legitimate end-user.
3. If they are, Check if the organization has any reason not to comply with the request.
4. If row #3 is negative: Inform the requester that their request is valid and will be complied within X workdays.
5. Keep a record of the request, its response, and any further communication with the requester. This is required for audits.
The Obligations of the Data Controller
The rectification response should include the following fields -
1. The details of the responder (or data controller)
2. The basic details of the requester.
3. Which attributes of the personal data were requested to be erased (withdrawal or restriction)
4. The response to the request.
Other obligations -
1. Establish that the requesters’ personal data is collected and stored.
2. Ascertain that the request is feasible, and if not, explain why.
3. Notify the requester of the decision that the organization intends to comply with their request.
Term Definitions
What is a Data Controller?
An organization or person who determines the use of the collected personal data from the data subjects. The data controller owns the collected personal data, decides in which ways it will be processed and bears the sole responsibility for safekeeping it.
What is personal data?
Any type of unique data which relates to an individual data subject. This can include such information as: Name, phone number, Email address, ID number, health records, political opinions, IP address, etc.
What is the processing of personal data?
Any act that is performed on the collected personal data of all the organizations’ data subjects. This may include such actions as storing the data, analyzing it in any way to extract insights or deleting it once it is no longer required.
What is a data subject (also known as an end-user)?
Any person who created a unique username on the organization’s website, thus giving them the possibility of using that username to perform certain tasks and use features offered on the website.
Who is the DPO?
The Data Protection Officer is the main stakeholder of the organization for all aspects of GDPR compliance. They are responsible for making sure that the GDPR guidelines are adhered to.
What is a data breach?
Any intentional or unintentional security incident, which involves the sharing of personal data with any unauthorized element. Sharing of personal data may include the viewing, copying, stealing, or altering of the personal data.
How To Communicate With Data Subjects?
The data subject may submit their request by any number of communication means -
1. Email: send the request to the data controller using a dedicated Email address.
2. Website: Opening a request (also known as a ticket) on the data controllers’ site.
3. Mail: Sending a filled-in form in an envelope.
The data controller is obligated to respond to the request, using the same means of communication.
Key Takeaways / Conclusions
1. The DPO (or their delegate) is responsible for checking the restriction request and responding to it.
2. The response should have an automatic excerpt of the original request as it was received.
3. The restriction may include the complete stop of collecting, manipulating, analyzing, or selling any personal data of the requester or just certain parts of the personal data.
