GDPR

Your Guide to Managing Data Subject Access Requests

March 29, 2022 Leave a comment

DSAR means Data Subject Access Request, and this is one of the rights that a data subject or an individual under the General Data Protection Regulation (GDPR) enjoys. 

  1. A data subject is anyone whose data is collected, shared and processed by a data controller.
  2. A data controller is a company, organization or anyone who deals with the personal data/information of the data subjects. 

As per the GDPR, the data subject should be a resident living in the European Union.

Recital 63 of the GDPR states:

“A data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing.”

  1. Reasons to have a DSAR process
S.NOReason(s) for DSAR
1.For confirming whether your organization/business processes the personal data of an individual (referred to as Data subjects).
2.For accessing the personal data/information of a data subject.
3.For determining whether such processing of data of the subject is on a lawful basis or not.
4.For knowing the duration/period for such data which has been stored in your organization/business
5.For enquiring about how the data subject’s personal information/data was obtained by your organization/business.
6.For obtaining information about automated decision-making and profiling from the data subject’s personal information.
7.For obtaining the names and further details of the third-parties with whom your organization/business is sharing the personal information of the data subject(s).

This isn’t an exhaustive list; a data subject has a right under the GDPR and can submit such a request (DSAR) without any given reason to the data controller and at any time. The data controller may only ask questions in order to verify the data subject’s identity. 

  1. Principles for DSAR

GDPR in the entirety is based on the following principles and it is the data controller’s responsibility and obligation to process data in accordance to the principles laid down-

Article 5 of the GDPR lays down the following principles-
Lawfulness, fairness and transparency
Purpose limitation
Data minimisation
Accuracy
Storage limitation
Integrity and Confidentiality
Accountability

Whereas, the DSAR is based on the rights granted to the data subjects under the GDPR-

Article(s)Right of the data subject
Art.15This article grants the data subject the right to access his/her personal data held by the data controller.
Art.16This article grants the data subject the right to rectify his/her inaccurate personal data without any undue delay caused by the data controller while giving access. 
Art.17This article grants the data subject with the right to be forgotten without causing any undue delay by the data controller.
Art.18This article grants the data subject the right to restrict the processing of his/her personal data.
Art.20This article grants the data subject the right to transmit his/her personal data to any other controller, and also to obtain his/her personal data in a machine-readable format.
Art.21This article grants the data subject the right to object to processing of his/her personal data.
Art.22This article grants the data subject the right not to be subjected to automated decision making and profiling.
  1. Steps to perform as a Data Controller-
S.No.Steps to be taken
1.The first step should be to verify the data subject’s identity and record the DSAR in the system.
2.The next step is collecting and categorizing the personal data that you have stored.
3.The next step should be to review the data subject’s request in order to understand the DSAR’s requirement. The reply to such a request should be within 30 days as mandated by the GDPR and without causing any undue delay.
4.Before sharing the response to the data subject, it is better to gather all the personal data of the data subject into the response, as the GDPR also encourages remote access to such data.
5.The data controller needs to ensure that the delivery of the data to the data subject should be secure as data leaks and breaches are quite expensive, moreover, it affects the trust among its users and the reputation/goodwill.
6.Once you have followed all the required steps, you are ready to send the response to the data subject
7.It is essential to remind the data subjects about their privacy rights and you may do so by adding a fews lines at the end of your response.

Comparing the stance on Protection of Non-Personal Data in India and EU

March 22, 2022 Leave a comment

First published on Tsaaro

Introduction & timeline of data protection in India

It is true that soon every business will become a tech business as “data” will be the new source of income. Managing and dealing with data of so many people by businesses and organisations, large or small, cannot be as easy as you may think. Leaving this area unregulated could lead to a global crisis from human rights violation to economic domination in the market, leading to endless privacy and cyber-crimes. Hence, regulating this area should be the prime focus of our nation’s government and any other country’s government where there is no privacy regulation. India recognised “privacy” as a fundamental right back in 2017 in a landmark decision passed by the Supreme Court in Justice K S Puttaswamy v. Union of India.

Right after the declaration of the “right to privacy” as a fundamental right, in July 2017, a Committee of Experts was constituted under the leadership of…continue reading

Can organizations monitor employees under the GDPR?

March 19, 2022 Leave a comment

First published at Tsaaro Academy ( click here )

Introduction 

Do we have the right to privacy and can we enjoy it as a right especially upon our personal data when we are at our workplace? This is the fundamental question that this blog would be dealing with, from the perspective of the General Data Protection Regulation also known as GDPR.

Coming to the next important question as to what will come under the ambit of ‘personal data’? The simple answer would be- A personal data will include all the sensitive categories of data that are related to an identifiable natural person. The following are some examples of personal data-

  • Physical or mental health condition;
  • Sex life and sexual orientation;
  • Racial or ethnic origin;
  • Political opinions, religious beliefs;
  • Trade union membership;
  • Biometric data.

When it comes to monitoring employees, businesses and organizations are not new to this concept, rather the concept of surveillance is decades old. In order to understand and analyze this question, it is important to first understand the employee-employer relation, as we know that it’s an undisputed fact that there will always remain an imbalance of power between the two, which is why the concept of consent cannot be a relevant ground on claiming that such monitoring was genuine or not arbitrary.

Since we are living in the age of digitalization, we need to understand that anything we do either professionally or in our private sphere, we tend to leave our digital footprints on the internet which means that we can easily be traced by anyone and also we are opening doors to potential scammers and other related risks as our data is scattered everywhere on the internet that is also the reason why our ‘Data’ is the new gold/fuel for today’s businesses and organizations.

How is monitoring done on employees?

Monitoring of employees can be done easily through CCTVs, softwares and now we have spywares too. But what exactly will constitute ‘monitoring’ ? It can be monitoring an employee’s internet history, emails, financial transactions, call logs, his private chats with employees and/or with other people...continue reading