Under the General Data Protection Regulation (GDPR), individuals have specific rights regarding their personal data. These rights allow them to control how their data is collected, used, and stored by organizations. Below are three diverse examples of data subject rights that can be included in privacy policies to ensure compliance with GDPR.
In this example, a company provides a clear process for individuals to request access to their personal data. This right allows individuals to understand what data is being held about them and how it is being used.
To exercise the right to access personal data, individuals can submit a request through our dedicated email address: access@company.com. Upon receiving the request, we will verify the identity of the requester to ensure that we are providing the data to the correct individual. We will respond to all access requests within one month and provide a copy of the personal data held, free of charge. If the request is complex or if we receive numerous requests, this period may be extended by two additional months. In such cases, we will inform the individual of the extension and the reasons for the delay.
Notes: It’s important to ensure that you verify the identity of the requester before sharing personal data. You may also want to outline what information is included in the data provided.
This example illustrates how individuals can request corrections to their personal data. This right allows them to ensure that their information is accurate and up-to-date.
If you believe that any information we hold about you is inaccurate or incomplete, you have the right to request rectification. You can do this by contacting us at rectify@company.com and providing the details of the data that needs to be corrected, along with the correct information. We will take reasonable steps to promptly rectify any inaccurate or incomplete data within one month of receiving your request. If we refuse your request, we will provide you with a justification for our decision.
Notes: Be clear about the process for submitting a rectification request and the timeframe for responses. Keep records of rectification requests and actions taken.
This example explains how individuals can request the deletion of their personal data under certain circumstances. This right can be vital for individuals wanting to remove their digital footprint.
You have the right to request the erasure of your personal data in certain situations, including when the data is no longer necessary for the purposes for which it was collected, or if you withdraw consent on which the processing is based. To make a request for erasure, please send an email to erase@company.com with the subject line “Request for Erasure” and include your details. We will evaluate your request and inform you of our decision within one month. If we deny your request, we will provide you with the reasons for our decision.
Notes: Ensure that your policy explains the conditions under which data can be erased, as not all requests may be granted. Include a mechanism to confirm the deletion of data when requests are fulfilled.