The General Data Protection Regulation (GDPR) strengthened the rights of individuals and made an impact on daily data operations. Moreover, GDPR demanded a proper organizational setup and, in most cases, organizational changes. However, following the information on the website GDPR Enforcement Tracker, it is seen that the fines for insufficient fulfilment of information obligations reached EUR 234,944,895, the for insufficient fulfilment of data subjects rights reached EUR 16,246,825. These impressive amounts show that not all organizations made their home works after GDPR came into force.
Does “no answer” means “no problem”?
Some organizations think that ignoring the data subjects’ requests is the right solution, and there will be no problem. The practice shows another situation. According to the information on the website GDPR Enforcement Tracker, Data Protection Authority in Greece has imposed a fine of EUR 20,000 on the National Bank of Greece. A data subject filed a complaint against a company and the bank after to comply with his right to information. After returning a product he had purchased from a company, the data subject had asked the company via Facebook Messenger to inform him about the request to cancel his credit card statements sent electronically to the bank. However, the controller refused to comply. After that, the data subject asserted the same right with the bank, which, however, did not respond.
Another situation examined by Czech Data Protection Authority led to a fine in the amount of EUR 1,900. A person had received an invoice for ordered goods, which came from a different company than, the one from which she had ordered the goods. Therefore, the data subject contacted the company that had supplied the goods and requested information about where her data had been obtained from, how it was processed, and on what legal basis it was processed. As the company did not respond to her request, the data subject contacted the Data Protection Authority. The Data Protection Authority then demanded that the controller provide the data subject with the requested information immediately. The controller did not respond to this request either.
There are a few examples that if there is no reaction to data subjects’ requests, the organization most likely will be imposed with a fine for the breach of GDPR. GDPR set forth the terms that the organization should respond to data subjects’ requests without undue delay and within one month from receiving the request. That deadline may be extended by two further months where necessary if the request is complex or if the organization has received a number of requests from the individual. The deadline is calculated from the day of the request, fee, or other requested information until the corresponding calendar date in the next month.
Data subjects rights handling procedure may help to avoid fines
Considering the principle of accountability and the growing data subjects’ understanding of their organizations is recommended to have the procedure of handling data subjects’ requests, including the register of received requests. Such procedure shall cover at least the following:
- how the organization accepts the data subjects’ requests;
- how the requests are registered;
- how the requests are handled and how the decision is made;
- define the control of requests management process;
- exemptions when the organization is not providing the requested information to the data subject,
- other important provisions.
Dealing with the data subjects requests’ can be arduous, time-consuming, and costly. Moreover, failure to comply appropriately with such requests can lead to complaints to the supervisory authority as it could be seen from the examples above, with potentially serious financial, regulatory and reputational consequences; therefore, the organizations must register data subjects’ requests, implement the procedure on how to handle them and to avoid potential harm to an organization.
If your organization is still struggling with adapting to data protection changes and ensuring the rights of data subjects, do not hesitate to contact data protection experts at ECOVIS for more information or help.
Prepared by Milda Šlekytė, internationally-certified Data Protection Expert of ECOVIS ProventusLaw