Article 15 of the GDPR states that data controllers must confirm to data subjects whether their personal data is being processed, and, where it is, provide them with a copy of that personal data (providing it does not adversely affect the rights and freedoms of others).
Paragon Outsourcing must also provide the following information:
- The purposes of the processing.
- The categories of personal data involved.
- The recipients (or categories of recipients) to whom the personal data has been or will be disclosed.
- The envisaged period for which the personal data will be stored (or, if this is not possible, the criteria used to determine that period).
- The existence of the right to request that the controller rectify or erase the personal data or restrict processing, or to object to processing.
- The right to lodge a complaint with a supervisory authority.
- Where the personal data has not been collected directly from the data subject, any available information about its source.
- The existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and the envisaged consequences for the data subject of such processing.
Data subject access request procedures under the GDPR
Paragon outsourcing DSAR procedure ensures we are able to meet the following requirements:
- In most circumstances, the information requested must be provided free of charge.
- Paragon outsourcing is permitted to charge a “reasonable fee” when a request is manifestly unfounded, excessive or repetitive. This fee must be based on the administrative cost of providing the information.
- The information must be provided without delay and within a month.
- Where requests are complex or numerous, Paragon outsourcing is permitted to extend the deadline to three months. However, we must still respond to the request within a month to explain why the extension is necessary.
- Data subjects must be able to make requests electronically as well as physically, “especially where personal data are processed by electronic means”.
- DSARs can be made in any form, including through email, phone call or web contact forms.
And Recital 63 recommends that, where possible, “the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to his or her personal data”.