Rights of rectification and the rights of access commonly referred to as Subject Access gives individuals the right to obtain a copy of their personal data as well as other supplementary information.
It helps individuals to understand how and why you are using that data and check you are doing it lawfully. Individuals can make a subject access request verbally or in writing. You have one month to respond to a request.
You can extend the time to respond by a further two months if the request is complex or you have received a number of requests from the individual.You must let the individual know within one month of receiving their request and explain why the extension is necessary.
The new thing in GDPR is that you cannot charge a fee to deal with a request.
In most circumstances however where the request is manifestly unfounded or excessive You may charge a reasonable fee for the administrative cost cost of complying with the request. You can also charge a reasonable fee if an individual requests further copies of their data.
Following a request you must base the fee on the administrative costs of providing further copies. In addition to a copy of their personal data you also have to provide individuals with the following information:
- The purposes of your processing.
- The categories of personal data concerned the recipients are categories of recipients you disclose their personal data to your retention period for storing the personal data or where this is not possible.
- Your criteria for determining how long you will store it.
- The existence of their right to request rectification AirAsia or restriction or to object to such processing.
- The right to lodge a complaint with the ICAO or another supervisory or authority.
- Information about the source of the data where it was not obtained directly from the individual.
- The existence of automated decision making including probing profiling and the safeguards you provide
- if you transfer personal data to a third country or international organization responding to a subject access request may involve providing information that relates both to the individual making the request and to another individual.
The DPA 20:18 says that you do not have to comply with the request if it would mean disclosing information about another individual who can be identified from that information.
This obligation to provide data subjects with access right lies with the controller and not the processor.
Processes are only obliged to assist the controller with the requests if needed. The scope of rights of rectification is largely unchanged from the directive.
In summary data subjects have the right to rectification of inaccurate personal data. It is also complex if the data in question records in opinion opinions are by their very nature subjective and it can be difficult to conclude that the record of an opinion is inaccurate.
As long as the record shows clearly that the information is an opinion and where appropriate whose opinion it is it may be difficult to say that it is inaccurate and needs to be rectified in such a scenario. You can reject the request by informing the user about the foundations of the opinion.