When handling personal data, it's vital to remember the multitude of rights that data subjects hold. Broadly, these rights ensure that individuals are well-informed and can actively oversee their own data. Specifically, data subjects are entitled to:
Know about any data processing activities.
Understand cross-border data transfer specifics.
Access their retained data.
Avail data portability.
Seek corrections or deletion of their data.
Withdraw consent at any time.
Lodge complaints with the supervisory authority, namely the FDPIC.
These rights can be categorized as:
Anticipatory Rights: Covered in your privacy policy, they relate to informing about data processing and transfers.
Active Engagement Rights: These entail data access, portability, correction, deletion, and withdrawing consent.
Deep Dive into Key Rights
Access & Data Portability: Under Swiss law, if a person requests access, verify their identity first. This information should be shared, either digitally or in writing, within 30 days. Denying access is permissible in specific cases, like potential breaches of confidentiality.
Data portability implies providing data in commonly used digital formats, like CSV or XML. This doesn’t include derived data or third-party data.
Data Correction, Deletion, and Consent: Data subjects can request data edits, removal, or even revoke consent. Ensure systematic procedures to handle these requests.
Steps to Manage Requests
Here’s how you can proceed to prepare for data subject requests:
Identify all data storage areas in the company.
Make sure there is a way to export this data in a structured way.
Develop and implement internal processes to handle requests (a separate process for requests for access, data transfer, correction or deletion of data, and revocation of consent).
Create sample letters for the various requests.
Define the responsibilities for responding to requests and train the employees involved.