Introduction
GDPR mandates that individuals in the European Union have the right to access the personal data held on them, as well as the ability to correct or erase and even transport the data records to a different location. The GDPR provides data subjects (in this case, customers) with certain rights over their personal data. Generally, data subject requests must be addressed within one month, unless they are exceptionally complex or numerous.
Chapter 3 of the general data protection regulation grants European data subjects new rights. The sections, articles and descriptions of this chapter are:
Section 1 –– Transparency and Modalities
Article 12: Transparent information, communication, and modalities for the exercise of the rights of the data subject
Section 2 –– Information and Access to Personal Data
Article 13: Information to be provided where personal data are collected from the data subject
Article 14: Information to be provided where personal data have not been obtained from the data subject
Article 15: Right of access by the data subject
Section 3 –– Rectification and Erasure
Article 16: Right to rectification
Article 17: Right to erasure (“right to be forgotten”)
Article 18: Right to restriction of processing
Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing
Article 20: Right to data portability
Section 4 –– Right to Object and Automated Individual Decision-Making
Article 21: Right to object
Article 22: Automated individual decision-making, including profiling
Section 5 –– Restrictions
Article 23: Restrictions
Definitions
Subject Access Request (SAR)
Individuals have a right to be informed by an organization whether or not the processing of personal data pertains or relates to them. Things like personal data, the purpose, and who saw the data.
Data Subject Rights (DSR)
These cover the rights and the abilities to demand things that are mentioned in the SAR. It also defines the abilities to obtain copies, request corrections, processing, and deletion of that data. This is all wrapped up in the formal request, called the DSR.
Data Controller
An individual or organization decides how what, and why data is collected. They may store it using another company’s cloud servers. For example, your Shopify store that collects customer data is a controller.
Data Processor
An individual or organization that stores data on behalf of the controller(s) and processes these data upon request.
Personal data and data subject
Any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly. In your case is your customer or visitor.
What is a Data Subject Request?
A data subject request (DSR) is a request from a data subject (a customer) to a data controller (a Shopify store owner) asking for data portability or data access or data erasure or data rectification right about his personal information held by your Shopify store. The European General Data Protection Regulation (GDPR) creates a framework for these types of requests as they relate to personal data attached to European residents.
Who Can Submit a DSR?
Anyone can submit a data subject request. They aren’t limited to customers or visitors. On Shopify, a visitor can order either with a registered account or not. In both cases, an individual provides personal data that are stored by the store and so has the right to submit a DSR.
Can You Refuse to Respond to a DSR?
While it’s important to respond to most DSRs, you don’t have to respond to everyone. Your organization can refuse to comply for two reasons:
- The request is manifestly unfounded, meaning the requester doesn’t intend to exercise their right appropriately. For instance, they might plan to use the request to make unsubstantiated claims against the organization.
- The request is excessive. For instance, an excessive request is one that overlaps with another recently submitted request.
So you need to be careful about refusing to respond to a DSR. It’s difficult to prove whether a DSR is unfounded or excessive, and there aren’t any specific definitions or examples of what qualifies for those exceptions, and the exceptions apply differently to each organization.
Additionally, you aren’t allowed to create a blanket policy that sets criteria for “acceptable” DSRs. You must instead consider each request on a case-by-case basis. If you decide to refuse a DSR, you should be absolutely confident in your ability to explain the reason for the refusal to authorities.
Do You Have to Provide Everything?
No. You only need to provide information that’s considered personal data. You do not need to include everything that mentions or refers to the data subject. For instance, you do not need to provide internal memos or notes about the subject’s account.
Can the process be automated?
Yes, it can. Our GDPR application provides a complete solution for these requests and all the appropriate information is securely provided to your customers. Our GDPR solution for Shopify Stores allows you to define end-to-end data subject request processes from assignment to review and approval. With our solution, you enable registered or guest customers to request their personal data through a custom-branded page with action buttons to directly record their requests.
What’s the Process for Handling a DSR?
There is no formal process for handling a DSR. An individual might request their data over a form and click a “Submit DSR” button there. That said, it’s typically more efficient for subjects to submit requests in an electronic way in order to hold a record and manage them more efficiently. This creates a record of the request for both parties, including the date it was made, the types of data they are requesting (or simply “all data”), and other relevant information.
Do you have to charge a fee for providing information?
No. In most circumstances, organizations will need to give the subjects a copy of the information they request free of charge. However, organizations are permitted to charge a “reasonable fee” when a request is manifestly unfounded, excessive, or repetitive.
This fee must be based on the administrative cost of complying with the request.
Organizations can also refuse to grant excessive, unfounded, or repetitive requests. If they do this, they must explain to the individual why they are refusing to comply and inform them of their right to appeal to the organization’s supervisory authority.
Get Compliant with Pandectes
Pandectes GDPR solution provides an automated process for handling their DSRs. With Pandectes GDPR solution you enable registered or guest customers to request their personal data through a custom branded page with action buttons to directly record their requests. You can automate the request workflow to validate subject identity and assign the fulfillment tasks to request a deadline extension or reject a request. Then, you transmit the data back to the individual via a secure messaging portal upon completion. Pandectes helps you maintain a complete record of data subject requests program activities in order to demonstrate compliance with data protection regulations. The subject access rights or capabilities are fully integrated into Pandectes GDPR application and backed by deep privacy research.
Please check our short video about Data Subject Requests below
