GDPR Response on Processing Restriction Request Complaint Template - Rejected
Introduction
Under the GDPR guidelines, any individual who is a data subject of an organization has the right to request that the organization restrict the processing of their personal data. When this request is submitted, the data controllers must respond in a timely manner while using clear everyday language.
If the restriction request is rejected, the requester has the right to appeal the decision with the relevant supervisory authority.
The DPO or their delegates need to respond to restriction request to comply with the GDPR statutes regarding the processing of any personal information which belongs to the organization's data subjects. After the consent form has been signed by the data subject, the data controllers are within their rights to process any personal data. The GDPR stipulates that the data subjects are entitled to ask to withdraw the consent form. However, the organization are sometimes within their rights to reject this request. The filled-in request needs to be kept in the organization's archive for audit purposes.
Scope and Purpose
According to the GDPR statutes on this topic, Once a processing restriction request has been submitted, the data controllers are required to -
1. Comply with the request, or explain why it cannot be complied with.
2. Check that the data subjects' personal data mentioned exists on the servers and that it is as described in the restriction request.
3. If it is: Validate that the data subjects are indeed the owner of the data or is a proxy of the legitimate one.
4. If they are, Check if there is any reason not to comply with the request.
5. If row 3 is positive, Inform the data subject that the request is invalid and, therefore, rejected.
6. Keep a record of the request, the organization's response to it, and any further communication on this topic with the data subject. This is required for audits' sake, both internal and external
The Obligations of the Data Controller
The rectification response should include the following fields -
1. The details of the DPO (or their delegate).
2. The basic details of the data subject who submitted the request.
3. Which personal data is requested to be restricted, or which type of processing is requested to be restricted?
4. The response to the request, in this case, a rejection of it.
5. Inform the data subject of their right to escalate the request to the supervisory authority.
Other Obligations -
1. Establish that the requesters' personal data is indeed being processed by the data controller.
2. Establish that the request can be accepted, and if not, explain why.
3. Notify the data subject of the decision that the data controller intends not to comply with their request.
4. To store the personal data of the data subjects securely, both on the main and backup servers of the data controller.
5. Restriction of the access to the personal data to a select group of employees who are authorized to do so.
6. Do not process the personal data for marketing purposes or sell it to third-party organizations for the same purposes.
7. Do not transfer the personal data to third-party organizations without the data subject's consent.
8. Sensitive Data: Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person's sex life or sexual orientation, or data relating to criminal convictions and offences (hereinafter "sensitive data"), the data importer shall apply specific restrictions and/or additional safeguards. E.g.: Masking data.
Examples of Processed Personal Data
Attributes -
1. Name
2. Phone number
3. Email address
4. IP address
5. ID number
6. Marital status
7. Number of children
8. Annual income
9. Political opinions
10. Religious beliefs
11. Sexual orientation.
Term Definitions
What is a Data Controller?
An organization or person who determines the use of the collected personal data from the data subjects. The data controller owns the collected personal data, decides in which ways it will be processed and bears the sole responsibility for safekeeping it.
What is personal data?
Any type of unique data which relates to an individual data subject. This can include such information as Name, phone number, Email address, ID number, health records, political opinions, IP address, etc.
What is the processing of personal data?
Any act performed on the collected personal data of all the organizations' data subjects. This may include such actions as storing the data, analyzing it to extract insights or deleting it once it is no longer required.
What is a data subject (also known as an end-user)?
Any person who created a unique username on the organization's website, thus giving them the possibility of using that username to perform certain tasks and use features offered on the website.
Who is the DPO?
The Data Protection Officer is the main stakeholder of the organization for all aspects of GDPR compliance. They are responsible for making sure that the GDPR guidelines are adhered to.
What is a data breach?
Any intentional or unintentional security incident which involves the sharing of personal data with any unauthorized element. Sharing of personal data may include the viewing, copying, stealing, or altering of the personal data.
Key Takeaways / Conclusions
1. The DPO (or their delegate) checks the restriction request.
2. The rejection must be written in simple language, explaining why it was rejected.
3. The response should have an automatic excerpt of the request as it was received by the data subject.
4. If an appeal is to be made by the data subject, it needs to be responded to within 20 workdays.
5. Data controllers should be careful not to reject these restriction requests frivolously. The GDPR clearly states on which grounds the data controllers can refuse to comply with the requests of the data subjects.
