DSRRM and GDPR Policy
EITCA Academy Policy on Data Subject Rights Requests Management and General Data Protection Regulation
This document specifies the European IT Certification Institute’s Policy on Data Subject Rights Requests Management, as well as the implementation of the EU General Data Protection Regulation, which is regularly reviewed and updated to ensure its effectiveness and relevance. The last update to the EITCI Data Subject Rights Requests Management and GDPR Policy was made on 10th January 2023. Our Data Subject Rights Requests Management and GDPR Policy is based on the principles of the ISO 27701 Privacy Information Management System extension to the ISO 27001 Information Security System standard, as well as on the requirements of the General Data Protection Regulation (2016/679).
Part 1. Introduction
Managing data subject rights requests is an essential part of ensuring compliance with data protection regulations, namely the GDPR (General Data Protection Regulation of the EU). The European IT Certification Institute defined the following formal procedures for managing data subject rights requests and implementing the requirements of the GDPR:
1.1. Establishing a process for handling data subject rights requests
This process outlines the steps that the European IT Certification Institute follows when handling data subject rights requests, including the identification and authentication of the data subject, the verification of the data subject’s request, and the response to the request.
1.2. Designating a Data Protection Officer (DPO)
The European IT Certification Institute designates a DPO who is responsible for overseeing the management of data subject rights requests, including the review of requests, response to requests, and ensuring compliance with data protection regulations.
1.3. Maintaining an up-to-date record of personal data
The European IT Certification Institute maintains an up-to-date record of personal data it holds and the purposes for which it is being processed. This will enable the European IT Certification Institute to quickly and accurately respond to data subject rights requests.
1.4. Providing clear and concise information to data subjects
When collecting personal data, the European IT Certification Institute provides clear and concise information to data subjects about their rights, including the right to access, rectify, erase, and object to the processing of their personal data.
1.5. Establishing a standard response time
The European IT Certification Institute maintains a standard response time for data subject rights requests and ensure that requests are responded to within this timeframe.
1.6. Verifying the identity of the data subject
The European IT Certification Institute verifies the identity of the data subject making the request to ensure that the personal data is only provided to the correct individual.
1.7. Responding to data subject rights requests promptly
The European IT Certification Institute responds to data subject rights requests promptly and provides the data subject with the information they have requested.
1.8. Documenting data subject rights requests
The European IT Certification Institute maintains a record of data subject rights requests, including the date of the request, the nature of the request, and the response to the request.
1.9. Monitoring and reviewing the process
The European IT Certification Institute regularly monitors and reviews its process for handling data subject rights requests to ensure that it remains effective and compliant with relevant data protection regulations.
1.10. Establishing the Record of Processing Activities
The European IT Certification Institute maintains the Record of Processing Activities which is a document that outlines the processing of personal data carried out by the organization. It is required under the EU General Data Protection Regulation (GDPR) and is intended to support understanding of data processing activities and demonstrating compliance with the GDPR.
By following these formal and procedures, the European IT Certification Institute can effectively manage data subject rights requests and ensure compliance with data protection regulations, including the General Data Protection Regulation in the European Union.
Part 2. Establishing a process for handling data subject rights requests
This process outlines the steps that the European IT Certification Institute follows when handling data subject rights requests, including the identification and authentication of the data subject, the verification of the data subject’s request, and the response to the request:
2.1. Identifying and authenticating the data subject
The European IT Certification Institute maintains a process in place to verify the identity of the data subject making the request. This may include asking for a government-issued ID, checking against existing records, or using other authentication methods.
2.2. Verifying the data subject’s request
Once the identity of the data subject has been established, the European IT Certification Institute must verify that the request is valid and relates to the data subject’s personal data. The request should also include the specific right being exercised, such as the right to access, rectify, or delete personal data.
2.3. Responding to the request
The European IT Certification Institute must provide a response to the data subject’s request within the time frame specified by relevant data protection laws, but no longer than 30 days. The response should include an explanation of whether the request has been granted or denied, and the reasons for the decision.
2.4. Documenting the request and response
The European IT Certification Institute maintains a record of all data subject rights requests and responses. This helps to ensure compliance with relevant data protection laws, as well as facilitate future audits or investigations.
2.5. Training relevant staff
The European IT Certification Institute will provide training to staff responsible for handling data subject rights requests to ensure that they are familiar with the relevant data protection laws and the European IT Certification Institute’s procedures for handling such requests.
2.6. Monitoring and reviewing the process
The European IT Certification Institute monitors and reviews the process for handling data subject rights requests on a regular basis to ensure that it remains effective and compliant with relevant data protection laws. Any issues or incidents are reported and addressed in a timely manner.
Part 3. Designating a Data Protection Officer (DPO)
The European IT Certification Institute designates a DPO who is responsible for overseeing the management of data subject rights requests, including the review of requests, response to requests, and ensuring compliance with data protection regulations.
3.1. Designating the DPO
The European IT Certification Institute designates a Data Protection Officer (DPO) to oversee the management of data subject rights requests and ensure compliance with data protection regulations. The DPO will be responsible for reviewing requests and ensuring that the European IT Certification Institute is meeting its legal obligations in relation to data protection.
3.2. DPO’s competences requirements
The DPO must have expert knowledge of data protection laws and practices and be provided with the necessary resources to fulfill their responsibilities. They should have direct access to senior management and report to the highest management level of the organization.
3.3. DPO’s responsibilities
The DPO’s responsibilities include, but are not limited to, the following:
- Providing guidance and advice to the European IT Certification Institute on data protection matters, including the management of data subject rights requests.
- Monitoring the European IT Certification Institute’s compliance with data protection regulations and internal policies and procedures.
- Responding to inquiries and complaints from data subjects regarding their rights under data protection regulations.
- Coordinating with other departments to ensure that data protection requirements are met throughout the organization.
- Conducting periodic reviews and assessments of the European IT Certification Institute’s data protection practices and providing recommendations for improvement.
- Serving as a point of contact for data protection authorities and cooperating with them in the event of an investigation or audit.
- The DPO is also involved in the development and implementation of the European IT Certification Institute’s policies and procedures related to data protection, including those related to handling data subject rights requests.
3.4. DPO’s training and qualifications development
The European IT Certification Institute should ensure that the DPO is adequately trained on data protection regulations and is kept up to date on any changes or updates to these regulations.
3.5. DPO’s contact information
The DPO’s contact information should be made available to data subjects and included in the European IT Certification Institute’s privacy notice or policy.
Part 4. Maintaining an up-to-date record of personal data
The European IT Certification Institute maintains an up-to-date record of personal data it holds and the purposes for which it is being processed. This will enable the European IT Certification Institute to quickly and accurately respond to data subject rights requests.
4.1. Establishing a process for identifying and recording personal data
The European IT Certification Institute establishes a clear and standardized process for identifying and recording personal data, including the data subject’s name, contact information, and any other relevant information. This process ensures that personal data is collected only for specific and legitimate purposes.
4.2. Categorizing personal data
The European IT Certification Institute categorizes personal data to make it easier to track and manage. This includes categorizing data by type, such as contact information, billing information, competencies and qualification, financial information, or employment history.
4.3. Implementing a data management system
The European IT Certification Institute implements a data management system to help ensure that personal data is accurate, up-to-date, and accessible. The data management system includes a database that can be searched and queried to help respond to data subject rights requests.
4.4. Assigning responsibility for maintaining the record of personal data
The European IT Certification Institute should assign responsibility for maintaining the record of personal data to specific individuals or departments. This will ensure that the record is kept up-to-date and accurate.
4.5. Regularly reviewing and updating the record of personal data
The European IT Certification Institute should regularly review and update the record of personal data to ensure that it remains accurate and up-to-date. This can be done through periodic audits or through a continuous monitoring process.
4.6. Implement appropriate security measures
The European IT Certification Institute implements appropriate security measures to protect the personal data it holds, including measures to prevent unauthorized access, accidental loss, or destruction of personal data, as a part of the organization’s Information Security Policy (ISP). This includes i.a. encryption, firewalls, and access controls. A detailed specification of the processes and measures for data protection are covered by the dedicated European IT Certification Institute’s Information Security Policy.
Part 5. Providing clear and concise information to data subjects
When collecting personal data, the European IT Certification Institute provides clear and concise information to data subjects about their rights, including the right to access, rectify, erase, and object to the processing of their personal data.
5.1. Transparency
The European IT Certification Institute is transparent in its processing of personal data and provides concise information to data subjects on how their data are used, processed, and stored.
5.2. Privacy Policy
The European IT Certification Institute has a detailed privacy policy that outlines its data processing activities, including how data subjects can exercise their data subject rights.
5.3. Right to Access
Data subjects have the right to request access to the personal data that the European IT Certification Institute holds about them. The European IT Certification Institute provides clear and concise information to data subjects about how to make a request for access, what information will be required to verify their identity, and how long the European IT Certification Institute will take to respond to the request.
5.4. Right to Rectify
Data subjects have the right to request that the European IT Certification Institute rectify any inaccurate or incomplete personal data that it holds about them. The European IT Certification Institute provides clear and concise information to data subjects about how to make a request for rectification, what information will be required to verify their identity, and how long the European IT Certification Institute will take to respond to the request.
5.5. Right to Erase
Data subjects have the right to request that the European IT Certification Institute erase their personal data in certain circumstances. The European IT Certification Institute provides clear and concise information to data subjects about how to make a request for erasure, what information will be required to verify their identity, and how long the European IT Certification Institute will take to respond to the request.
5.6. Right to Object
Data subjects have the right to object to the processing of their personal data in certain circumstances. The European IT Certification Institute provides clear and concise information to data subjects about how to make a request to object, what information will be required to verify their identity, and how long the European IT Certification Institute will take to respond to the request.
5.7. Contact Information
The European IT Certification Institute provides clear and concise contact information for data subjects to use if they have questions or concerns on how their personal data is being processed.
Part 6. Establishing a standard response time
The European IT Certification Institute established a standard response time for data subject rights requests and ensure that requests are responded to within this timeframe.
6.1. Standard response time
The European IT Certification Institute establishes a standard response time of 30 days for data subject rights requests. The standard response time defines an upper time limit for processing and response and majority of requests are processed and responsed within a shorter time.
6.2. Request receipt acknowledgment time
Upon receipt of a data subject rights request, the DPO or other staff members will acknowledge receipt of the request within 5 working days and provide the data subject with an estimated timeframe for providing a response.
6.3. Exceptional extensions of the standard response time
The European IT Certification Institute will use reasonable efforts to respond to data subject rights requests within the established standard response time. However, if the request is complex or if the European IT Certification Institute receives a high volume of requests, the response time may be extended. In such cases, the DPO will inform the data subject of the extension and the reason for the delay.
6.4. Refusal to fulfill a data subject rights request
If the European IT Certification Institute is unable to fulfill a data subject rights request, it will provide the data subject with an explanation for the refusal and inform them of their right to complain to the relevant supervisory authority.
6.5. Records of data subject rights requests and responses
The European IT Certification Institute will maintain accurate records of data subject rights requests and responses, including the date of receipt of the request, the nature of the request, and the date and manner of the response.
6.6. Periodic reviews
The DPO will periodically review the European IT Certification Institute’s response times and update them as necessary to ensure compliance with applicable data protection regulations.
Part 7. Verifying the identity of the data subject
7.1. Identity verification requirement
The European IT Certification Institute must verify the identity of the data subject making the request to ensure that the personal data is only provided to the correct individual.
7.2. Identity verification means and methods
When a data subject makes a request to exercise their rights under data protection laws, the European IT Certification Institute must verify the identity of the data subject using appropriate measures, such as requesting identification documents.
7.3. Identity verification of a proxy holder
If the data subject is making the request on behalf of someone else, the European IT Certification Institute must verify the identity of both the data subject and the individual on whose behalf the request is being made.
7.4. Identity verification doubts
If the European IT Certification Institute has doubts about the identity of the data subject or the validity of the request, it may request additional information or take other appropriate measures to verify the identity of the data subject.
7.5. Identity verification records
The European IT Certification Institute should keep a record of the verification process and the measures taken to verify the identity of the data subject. This record should be kept for a reasonable period of time and used to demonstrate compliance with data protection laws.
Part 8. Responding to data subject rights requests promptly
8.1. Prompt response
The European IT Certification Institute responds to data subject rights requests promptly and provide the data subject with the information they have requested.
8.2. Request receipt acknowledgment
The European IT Certification Institute acknowledges receipt of the data subject’s request as soon as possible, ideally within 5 working days.
8.3. Request review
The designated DPO should review the request to ensure that it meets the necessary requirements and that all the necessary information has been provided.
8.4. Verification of the data subject identity
The European IT Certification Institute verifies the identity of the data subject making the request to ensure that the personal data is only provided to the correct individual.
8.5. Obtaining additional information if required
If the request is unclear or insufficient, the European IT Certification Institute should contact the data subject to obtain additional information.
8.5. Retrieving the relevant data
The European IT Certification Institute retrieves the relevant personal data and reviews it to ensure that it is accurate and up-to-date.
8.6. Providing the requested information
The European IT Certification Institute provides the data subject with the information they have requested, including a copy of their personal data in a commonly used electronic format, unless otherwise requested.
8.7. Inform the data subject of their rights
The European IT Certification Institute informs the data subject of their other rights, such as the right to rectify or erase their personal data, and provide them with necessary instructions.
8.8. Complying with the response time
The European IT Certification Institute responds to data subject rights requests within the established response time, ensuring that necessary action is taken to comply with the request.
8.9. Documenting the response
The European IT Certification Institute documents the response to the data subject rights request, including any actions taken and the response time, to ensure that it can be audited and tracked for compliance purposes.
8.10. Notifying the data subject of any changes
If any changes are made to the data subject’s personal data as a result of their request, the European IT Certification Institute notifies the data subject of these changes.
Part 9. Documenting data subject rights requests
The European IT Certification Institute maintains a record of data subject rights requests, including the date of the request, the nature of the request, and the response to the request. Documenting data subject rights requests includes the following aspects:
9.1. Maintaining a register
The European IT Certification Institute maintains a register that captures all data subject rights requests received. This register should capture the following details:
- Date of the request
- Name and contact details of the data subject
- Description of the request
- Action taken in response to the request
- Any additional information required to process the request
9.2. Standardized process for documentation
The European IT Certification Institute runs a standardized process for documenting data subject rights requests to ensure consistency and accuracy in the information captured.
9.3. Retention period
The European IT Certification Institute maintains these records for a reasonable period of time, as determined by applicable laws and regulations, not shorter than 2 years.
9.4. Maintaining confidentiality
The European IT Certification Institute ensures that the records of data subject rights requests are accessible only to authorized personnel who have a need to access such information in the performance of their duties. It also implements technical and organizational measures to prevent unauthorized access, disclosure, alteration or destruction of personal data contained in the records of data subject rights requests.
9.5. Reporting
The European IT Certification Institute periodically generates reports on data subject rights requests received, processed and outstanding. These reports are shared with relevant stakeholders including senior management and the DPO.
9.6. Analytics
The European IT Certification Institute conducts trend analysis on data subject rights requests to identify patterns and root causes of requests. This information is used to enhance processes and procedures to better manage such requests.
Part 10. Monitoring and reviewing the process
The European IT Certification Institute regularly monitors and reviews its process for handling data subject rights requests to ensure that it remains effective and compliant with the GDPR.
10.1. Conducting periodic reviews
The European IT Certification Institute conducts periodic reviews of its data subject rights request handling process and GDPR compliance policy to ensure that it is effective and compliant with data protection regulations. These reviews include an analysis of the number and type of requests received, the timeliness and effectiveness of responses, and any areas for improvement.
10.2. Implementation of improvements
Based on the findings of the reviews, the European IT Certification Institute implements any necessary improvements to its data subject rights request handling process. This may include updates to procedures, additional training for staff, or changes to the way requests are verified and responded to.
10.3. Ensuring ongoing compliance
The European IT Certification Institute ensures ongoing compliance with data protection regulations by regularly reviewing and updating its policies and procedures in line with any changes to relevant laws and regulations.
10.4. Monitoring staff performance
The European IT Certification Institute monitors staff performance in relation to handling data subject rights requests, including the quality and timeliness of responses. This may include periodic training and performance reviews to ensure that staff are knowledgeable and competent in this area.
10.5. Communicating with data subjects
The European IT Certification Institute communicates with data subjects throughout the request handling process to ensure that they are kept informed of progress and any relevant information. This may include providing updates on the status of their request or requesting additional information as needed.
10.6. Maintaining records
The European IT Certification Institute maintains records of its reviews, including any changes made to its data subject rights request handling process, as well as any feedback received from data subjects. This information can be used to support ongoing compliance efforts and to identify areas for further improvement.
Part 11. Establishing the Record of Processing Activities
The European IT Certification Institute maintains the Record of Processing Activities which is a document that outlines the processing of personal data carried out by the organization. It is required under the EU General Data Protection Regulation (GDPR) and is intended to support understanding of data processing activities and demonstrating compliance with the GDPR.
11.1. ROPA structure
The ROPA includes basic information on the name and contact details of the organization, the purposes of the data processing, the categories of personal data processed, the recipients of the personal data, and the retention periods for the personal data. It also includes information about any third-party processors who process personal data on behalf of the organization.
11.2. ROPA regular updates
The ROPA is updated regularly and is a living document that reflects changes in the European IT Certification Institute’s data processing activities supporting building trust with data subjects.
The European IT Certification Institute is committed to maintaining the highest standards in regard to its Data Subject Rights Requests Management and General Data Protection Regulation Policy, making sure to comply with all applicable laws and regulations related to these issues, as well as to leading industry standards and best practices, including the ISO 27701 Privacy Information Management System.