6. Description of How Data Subjects Can Exercise Their Data Subject Rights
Summary: The goal is to ensure that the project has a way for data subjects to exercise their personal data rights. For small-scale processing, it is often enough to have data subjects directly contact controllers with their requests. For larger projects, a response protocol, likely automated, should be implemented instead.
Step 6 describes the way data subjects can exercise their rights. For small scale project, where it is possible to directly engage with each requesting data subject, it is often enough to just inform data subjects that they can use the provided contact information to directly get in touch with controllers and data protection officers for any question or requests related to their personal data rights. For larger projects, where a large number of data subjects is expected to be involved in the processing, a more organized, likely automated way to respond to data access requests should be designed and described here.
For example, for small-scale processing, step 6 can explain that “data subjects can exercise their data subject rights by contacting the research team directly, using the provided contact information, as shown in step 5.”
Previous: Description of Information Provided to Data Subjects | Next: Description of Lawful Basis for Processing
- Description of the Project’s Purpose
- Description of Data Subjects
- Description of the Categories and Purposes of Personal Data
- Description of the Processing of Personal Data
- Description of Information Provided to Data Subjects
- Description of How Data Subjects Can Exercise Their Data Subject Rights
- Description of Lawful Basis for Processing
- Description of Measures to Ensure Compliance By Processors and/or Joint Controllers
- Description of Planned Transfers of Personal Data to Other Countries Outside the EU
- Obtaining, Consulting, and Dealing with Data Subjects’ Views of the Processing
- Preliminary Risk Assessment