DASTRA
English
English
  • What is Dastra
  • 🇪🇺USEFUL REMINDERS
    • What is GDPR ?
    • GDPR key concepts
      • Personal data
      • Record of processing activities (ROPA)
      • Privacy impact assessment
      • Data retention period
      • Data Subject Rights (DSR)
      • Privacy by design and by default
      • Security measures
      • Data breach notifications
    • Risk management
      • Definition of risks
      • Risk assessment
      • Vendor risk management
  • 🧑‍🎓GETTING STARTED
    • Setting up
      • Create and set up a workspace
      • Create and set up organizational units
      • Appointing a DPO
      • Add a lead authority
      • Invite users
      • Managing roles and permissions
      • Create and assign teams
      • Frequently asked questions
    • Tutorial
      • Step 1: Setting up
      • Step 2: Map your personal data processing and draw up a register
      • Step 3: Managing risks
      • Step 4: Prioritize actions
      • Step 5: Implement internal processes
      • Step 6: Document compliance
    • Support
      • The dastronaut's assistant
      • Online help
      • Request support
      • The customer support process
  • ⚙️Features
    • Dashboard
    • General
      • Advanced Filters
      • Import your data (Excel, Csv)
      • Tag management
      • Custom fields
      • AI Assistant
      • Email templates
    • Data Mapping
    • Record of processing activities
      • "Data controller" record
      • "Data processor" record
      • Establish your record
      • Export / import the record
      • Use a processing activity template
      • Declare a processing activity
      • Complete a data processing activity
        • General information
        • Stakeholders
        • Purposes
        • Dataset
        • Assets
        • Data subjects
        • Data subjects rights (DSR)
        • Recipients
          • Data transfers outside the EU
        • Security measures
        • Impact analysis
        • Documentation
      • Create relationships between processing activities
      • Processing freshness
      • Share the record of processing
      • Data visualization
        • View the treatment tree
        • View the record data map
        • View the transfers map
      • Frequently asked questions
    • Audits and DPIA
      • Create or modify an audit template or DPIA
      • Scheduling an audit or a PIA
      • Share an audit report or PIA
      • FAQ
    • Privacy hubs
      • Create a Privacy hub
      • Configure your Privacy hub
        • Homepage and general configuration
        • Questionnaires
        • Data subject requests
        • Record of processing activities
        • Attachments
        • Organizational chart
        • Contacts
        • Security
        • Appearance and design
      • Preview and share your privacy hub
      • Collecting data processing projects from a Privacy hub.
    • Contracts
      • Declare a Contract
      • Structure of a contract
      • Documents
      • Assets
      • Signers
      • Linked users
      • Sign the contract
      • Docusign integration
      • Contract versions
      • Contract templates
    • Risk management
      • Glossary of terms
      • Risk management process
        • 1. Identification
        • 2. Assess
        • 3. Monitor
        • 4. Control
        • Let's recap
      • Dastra / eBios RM comparison
      • Attach a risk to a processing activity
      • FAQ
    • Planning
      • Create your action plan
      • Create or modify a project or an iteration
      • Monitor, screen or export your tasks
      • Customise the task workflow
      • Share as calendar
      • Customise the task workflow
      • Go further with planning
      • FAQ
    • Data subject right request
      • Manage data subject right requests
      • Set up a data subject right request widget
      • Technical integration
      • API integration
    • Manage data breach notifications
      • Report a data breach
      • Export your data breach notifications
    • Manage cookies consent
      • Widget configuration
        • Preliminary study
        • Cookies scanning
        • Classify cookies by consent categories
        • The purposes of cookies
        • Implement a cookie consent widget
        • Collect proof of cookie consent
        • Go further on cookie consent
        • In case of unavailability
      • Technical integration
        • Functioning of the widget
        • Quick start
          • Wordpress
        • Language management
        • Test the integration of a widget
        • Blocking cookies
          • Blocking iframes (twitter/youtube...)
          • Google Tag Manager
        • Advanced Design
        • Manage consent programmatically
        • User identification
        • Mobile applications
          • Hybrid applications
          • Native applications
        • TCF 1.1/2.0
      • RGAA compliance
      • Breakdown service
    • Regular review (freshness)
    • Custom Reporting
      • Integration with data analysis tools (BI)
    • AI Systems
      • Establishing a record of AI systems
      • Risk analysis and business value
      • Transparency notice
      • AI Models repository
    • Advanced configuration
      • SCIM
      • Roles and permissions
      • Single Sign On (SSO)
        • SAML 2
        • OpenId
        • ADFS
        • Active Directory
        • Okta
        • Known problems
      • References
      • API key management
      • Notifications
      • Workflow steps / process flow
      • Incoming mail data collection
      • OneDrive/Google Drive integrations
      • Webhooks
      • SMTP configuration
      • Workflow rules
      • Message templates
      • Email domains
  • PARTNERS
    • Portal
  • 📄API documentation
    • Configuration
    • Authentication
    • API References
    • Integrations
      • Frequently asked questions
  • 🛡️Security
    • Security at Dastra
    • Security roadmap
    • Quality of Service
  • Certifications
  • 🤖Other
    • FAQ
    • Known problems
    • Changelog
  • Referentials
    • CNIL referentials
      • HR referential from CNIL
Propulsé par GitBook
Sur cette page
  • Two major obligations for the controller:
  • 3 common operational rules for the rights of individuals:
  • The right of access to information
  • The right of access can be exercised:
  • How to send the data?
  • Limits of the right of access
  • Collecting consent
  • The right to object
  • The right of access and rectification
  • The right of portability
  • For more information

Cet article vous a-t-il été utile ?

  1. USEFUL REMINDERS
  2. GDPR key concepts

Data Subject Rights (DSR)

Find out about the different rights introduced by the GDPR.

The GDPR reaffirms the rights of individuals, introduces the right to data portability and strengthens the obligations incumbent on the controller. Data subjects have the right to retain control of their data. The person in charge of the processing must explain to them how to exercise them. When exercising their rights, applicants must obtain a response within one month (two months in the case of complex requests).

Two major obligations for the controller:

  • Inform those concerned about the use of their private data (purpose, duration of archiving, etc.) and how to exercise their rights

  • Inform the persons concerned of the execution of operations in accordance with the exercise of the rights of rectification, erasure or limitation

3 common operational rules for the rights of individuals:

  • Response time of one month from the request (2 months in case of complex request)

  • No fees for the exercise of rights, except in the case of manifestly unfounded or excessive claims

  • Traceability of requests and responses

The right of access to information

To be fair and lawful, the collection of personal data must be accompanied by clear and precise information from people on:

  • the identity of the person in charge of the request;

  • the subject of the request;

  • the compulsory or optional nature of the replies and the consequences of failure to reply;

  • the recipients of the data;

  • their rights (right of access, rectification and opposition);

  • data transfers possible to third countries.

The information precedes the collection of data. The support of this information varies according to the characteristics of the Personal Data Processing Register (example, information panel for video surveillance, mention of information on a form, reading of this information in the event of data collection by telephone.)

The right of access can be exercised:

  • In writing: postal mail, accompanied by a copy of an identity document. Ideally, by registered mail with acknowledgment of receipt

  • On site: with presentation of an identity document. It is possible to be accompanied by the person of your choice. The consultation should last long enough to take note of in a practical and complete manner. It is possible to request a copy of the data.

The processing record manager has a maximum response time of one month from the date of receipt of the request. If the request on site cannot be satisfied immediately, a dated and signed acknowledgment of receipt must be given to the requester. If the request is incomplete (absence of identity document for example), the person in charge of the file has the right to request additional information: the period is then suspended and begins again once these elements have been supplied.

How to send the data?

The elements communicated must be easily understandable. The codes, acronyms and abbreviations used must be explained (possibly through a glossary). For example, "Segmentation: A +" means that you are considered a VIP customer.

Limits of the right of access

The processing record manager can:

  • refuse the access request: in this case, he must justify his decision and inform the requester of the means and time limits for appeal.

  • Do not respond to requests that are manifestly unreasonable in terms of number, repetitive or systematic in nature (for example, requesting a full copy of a recording every week).

When the controller does not have any data on the person exercising the right of access (for example, the data has been deleted or the organization does not have any data on the person), he must reply to the requester within one month. The right of access must be exercised with respect for the rights of third parties: an employee of a company cannot obtain data relating to another employee.

Collecting consent

Consent is an active, explicit and preferably written action by the user which must be free, specific and informed. In an online form, this can happen, for example, by a check box that is not checked by default. Consent is "prior" to the collection of data.

The prior consent of the data subject is required, in particular:

  • In the event of collection of sensitive data

  • Reuse of data for other purposes

  • Use of cookies for certain purposes

  • Use of data for electronic commercial prospecting

The right to object

People must be able to oppose the re-use by the person responsible for the file of their contact details for the purposes of solicitations, in particular commercial, when placing an order or signing a contract. A check box, not checked by default, should allow them to express their choice directly on the form or the order form to be completed. The mere mention of the existence of this right in the general conditions is not sufficient. Any person has the right to oppose, for legitimate reasons, the processing of their data, unless it meets a legal obligation (eg tax records).

The right of access and rectification

Anyone can, access to all the information concerning him, know the origin of the information concerning him, access the information on which the person in charge of the file relied to make a decision concerning him (for example, the elements which would have been used not to grant you promotion or the score assigned by a bank that led to the rejection of your credit) application), obtain a copy (fees not exceeding the cost of reproduction may be requested) require that his data be , as the case may be, rectified, supplemented, updated or deleted.

The right of portability

  • Data subjects may request to receive, in a structured, commonly used and machine-readable format, data concerning them which they have provided to a data controller.

  • Where technically possible, they may also request that this data be transmitted directly from one controller to another.

For more information

Dernière mise à jour il y a 2 mois

Cet article vous a-t-il été utile ?

🇪🇺
Data subject right request
Data subjects rights (DSR)