Data Subject Rights Flashcards
What is the timeline for responding to a DSAR?
This must be no later than one calendar month, starting from the day they receive the request.
If the organisation needs something from you to be able to deal with your request (eg ID documents), the time limit will begin once they have received this.
If your request is complex or you make more than one, the response time may be a maximum of three calendar months, starting from the day of receipt.
According to the GDPR, the right to data portability applies when…
…the data processing is based on
A) the user’s consent. Or on a contract
B) the data processing is carried out by automated means
Recital 68:
“Where the processing of personal data is carried out by automated means, the data subject should also be allowed to receive personal data concerning him or her or which he or she has provided to a controller in a structured, commonly used, machine-readable format, and to transmit it to another controller”
It should not apply where processing is based on a legal ground other than consent or contract
It does not apply to “processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”