Learning from previous cases
The provisions of the national supervisory authorities, together with the guidelines and opinions of the EDPB, if read in watermark allow us to obtain important information on how to operate in organizations in order to respond adequately to the principle of accountability.
Data subjects’ requests
In recent decisions by the national supervisory authorities, the reference context was that of direct marketing which, as noted on numerous occasions by the Italian authority, represents a sector that “generates constant and widespread social alarm”. The remarks contained in the decisions, however, are also of general scope as in the case of the emphasis on the importance that the measures adopted by organizations “must be accompanied by greater effectiveness on a practical level in order to be considered sufficient to stem (…) illegal conduct “.
Operation of the process
The exercise of privacy rights, known by the acronym “DSR” (Data Subject’s Request), is one of the main points of contact between the organization and the data subjects and correspondingly represents a moment of verification of the adequacy of the internal organizational structure with respect to solicitations to which it is subjected by the dynamics of the GDPR.
Measures for the exercise of rights
The legislator of the Regulation (GDPR) has provided for a dual function for technical-organizational measures, namely:
- protect and adequately secure personal data
- facilitate the enjoyment of protection and rights of the data subjects.
Article 12 of the GDPR explicitly mentions the obligation to adopt adequate measures functional to the effective application of the law; it prescribes that “(2) The controller shall facilitate the exercise of data subject rights” and the Recital (59) adds that “Modalities should be provided for facilitating the exercise of the data subject’s rights under this Regulation, including mechanisms to request and, if applicable, obtain, free of charge, in particular, access to and rectification or erasure of personal data and the exercise of the right to object. The controller should also provide means for requests to be made electronically (…) ».
Among the main problems encountered in organizations in this regard are:
- failure or delayed reply to the applicant
- the uncertain management of the request.