The right to information in the General Data Protection Regulation (GDPR) is complicated and subject to deadlines. We tell you how to deal with requests for information.
Many companies have already received letters stating more or less in detail:
"Delete all my data".
Or it was demanded:
"Tell me what data you have on me, delete all data and confirm the data deletion".
Many companies do not pay the necessary attention to these messages. They either do not answer these messages or only superficially.
We tell you why this can be very expensive.
Many companies also ask themselves:
How must a request for information be responded to?
First of all, you should set up a central contact point in your company for the processing of information requests. This will ensure that all requests are recorded and processed. No requests for information can then "slip through". This office should work together with the data protection officer to process the requests for information. The employees of this department should be sensitised through appropriate training with regard to the data subject rights existing under the GDPR. In particular, they should be trained on how to deal with requests for information.
It should be noted that failure to provide information, incomplete information, incorrect information or late information constitutes a data protection offence punishable by a fine.
To whom must information be given?
If the contact point you have created has received a request for information, you must first check whether the person requesting the information is also entitled to receive the requested information. You must ensure that the personal data to be provided is not transferred to unauthorised third parties.
May a copy of an identity document be requested for identification purposes?
You are obliged to verify the identity of the person requesting information. It is difficult to decide in each case which evidence and information you may demand from a person requesting information in order to establish their identity.
If there are "reasonable doubts about identity", you may request a copy of your ID for identification purposes. However, you should only decide when these reasonable doubts exist together with your data protection advisor/data protection officer.
Together with their data protection advisor/data protection officer, they must develop a system for which cases, what kind of information is required to identify a person.
What information must be provided?
If you have identified a data subject and have concluded that there is a right to information, you must provide the following information:
- Information on the specific personal data processed
- the processing purposes (of the data processing)
- the categories of personal data that are processed
- the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular in the case of recipients in third countries or international organisations
- if possible, the planned duration for which the personal data will be stored or, if this is not possible, the criteria for determining this duration
- the existence of a right to obtain the rectification or erasure of personal data concerning them or to obtain the restriction of processing by the controller or a right to object to such processing
- the existence of a right of appeal to a supervisory authority
- if the personal data are not collected from the data subject, any available information on the origin of the data;
- the existence of automated decision-making, including profiling, pursuant to Article 22(1) and Article 22(4) of the GDPR and, at least in those cases, meaningful information about the logic involved and the scope and intended effects of such processing for the data subject.
Pursuant to Art. 15 III GDPR, the data subject also has a right to be provided with a copy of the personal data that are the subject of the processing. The details of this claim (when and to what extent it exists) are controversial in terms of content and the subject of numerous court decisions. Therefore, you should also discuss this claim with your data protection advisor/data protection officer and subsequently react in a coordinated manner in this regard.
Within what period of time must information be provided?
If you receive a request for information, you must provide the information without delay and in any case within one month of receiving the request.
This deadline may be extended by a further two months if this is necessary, taking into account the complexity and number of applications. However, you must in any case inform the data subject of any extension of the deadline, together with the reasons for the delay, within one month of receiving the request.
Conclusion:
The right to information in data protection law is complicated and subject to deadlines.
The most important prerequisite for proper processing of information requests is first of all that all information requests are collected and processed centrally in your company.
You should then process the respective requests for information with your data protection advisor/data protection officer. We strongly recommend that you do not process requests for information without consulting your data protection advisor/data protection officer.
Please also note that the data subject rights in the General Data Protection Regulation, and thus also the right to information, are a central element of the regulations of the General Data Protection Regulation.
If you fail to provide information requests, or provide incomplete, incorrect or late information, or provide information to unauthorised persons, you may face fines of up to €20 million or, in the case of a company, fines of up to 4% of the total worldwide annual turnover of the previous business year.
Therefore, take the sentence "Delete all my data" seriously.
We are at your disposal for questions and assistance in data protection law.
GoldbergUllrich Lawyers 2020
Attorney at Law Michael Ullrich, LL.M. (Information Law)
Specialist lawyer for information technology law
