Summary: The goal is to ensure that the project has a way for data subjects to exercise their personal data rights. For small-scale processing, it is often enough to have data subjects directly contact controllers with their requests. For larger projects, a response protocol, likely automated, should be implemented instead.

Step 6 describes the way data subjects can exercise their rights. For small scale project, where it is possible to directly engage with each requesting data subject, it is often enough to just inform data subjects that they can use the provided contact information to directly get in touch with controllers and data protection officers for any question or requests related to their personal data rights. For larger projects, where a large number of data subjects is expected to be involved in the processing, a more organized, likely automated way to respond to data access requests should be designed and described here.

For example, for small-scale processing, step 6 can explain that “data subjects can exercise their data subject rights by contacting the research team directly, using the provided contact information, as shown in step 5.”

Previous: Description of Information Provided to Data Subjects | Next: Description of Lawful Basis for Processing