Securiti Named a 2022 Cool Vendor in Data Security by GartnerDownload Now
Published on August 19, 2021 AUTHOR - Nigel Hawthorn, EMEA Privacy Team
When you respond to data subject access requests, as per Article 15 of the GDPR, you no doubt review databases of information- so called “Structured Data” - on your systems and in the cloud, compile all the personal data you have on the data subject (probably a customer record) and send it to the requestor along with additional information about processing activities being carried on the data.
But a recent ruling by the German Federal Court of Justice (Bundersgerichtshof) has potentially extended that to include all information known about the data subject, including any previous correspondence, internal communications and notes.
This ruling makes clear that data collected and shared via internal processes is covered under the right to access as per Article 15 of the GDPR, potentially expanding the breadth of information many people thought was covered in a data subject access request.
To help operationalize this, imagine a customer serially calls your customer support team for help. The customer is identified in every instance and the call is recorded for quality assurance purposes by your organization. If that customer is protected under the GDPR and makes an access request under Article 15 - it won’t be enough to just provide him access to his file, you also need to attach all those recorded calls!
This ruling also states that internal communications about the data subject should be released as part of a DSAR, we have to think whether it would be embarrassing, or worse, if all internal communications were released. In that regard, we make two recommendations that flow from this ruling:
It is also important to note that the ruling did recognize that any documentation or internal communication which contains legal analysis can be excluded from an access request as it does not constitute personal data since it is information about the assessment and application of the law to the data subject’s situation. A summary of the personal data information which was considered for the legal analysis can be provided but the analysis and the results of the analysis are exempt.
Security can help you enable swift and accurate DSR fulfillment from our sensitive data intelligence models.
We can give you data discovery across more than 200 apps to find data assets, and discover personal data in structured and unstructured data systems, across on-premises and multi-cloud and automatically discover and build a relationship map between personal data and its owner.
Discover granular insights into all aspects of your privacy and security functions while reducing security risks and lowering the overall costs
June 21, 2022
When the California Privacy Rights Act (CPRA) comes into effect, replacing the existing California Consumer Privacy Act (CCPA), organizations will have to change their current business practices around personal information handling. One significant change will be Regular Risk...
June 3, 2022
Data privacy laws have gained increased importance worldwide in the past couple of years. Multiple factors have played a role in this phenomenon, the most important being the necessity to protect users’ data, freedom, and rights to privacy....
PO Box 13039,
Coyote CA 95013