15.06.2023 | Blog Right to information of data subjects under the GDPR – but where is the data located?

How to handle a request for information correctly

Seek and you shall find: Suddenly, the first request for information flutters across your desk. Companies ask themselves: What do we have to consider now, what do we have to do? You should take the following steps:

1. Send the data subject an acknowledgement of receipt of their request and inform them that the requested data will be compiled and made available.

2. Inform the person concerned that their data will be made available within 4 weeks, or better within 28 days.

3. At the same time inform the person concerned how the data will be made available.

4. Collect data.

5. Compile and verify the data.

6. Make the data available in a suitable procedure, for example within a portal solution. You should think about this in advance, as there are also dangers lurking here in terms of how to make the data available to the data subject. Simply sending an e-mail is not a good solution here!

Giving the data subject feedback such as "We don't currently know what we have stored about you," is not a good answer. The risks of "inquiries by the authorities" or a claim for damages increases by leaps and bounds. The probability that the fine will then be rightly levied and/or the claim for damages will be positively decided is almost 100 percent.

Requests for information and their legal basis

The GDPR grants every EU citizen the right to ask what data is stored about their person. Failure to answer, answer incorrectly or incompletely may result in fines and/or claims for damages.

After the final introduction of the GDPR five years ago, this right is not yet used very much, but an increase can be noticed. We data protection experts, whether appointed internally or externally, notice that especially in economically more difficult times, people try to make some money here. Friendly warning lawyers do their bit to capitalize on erroneous or incomplete requests for information. In contrast to the waves of warnings regarding the use of Google Fonts or similar, it is very difficult to fend off claims for damages here - unless you can prove that the information was provided in full. Here we are again confronted with the first main principle of data protection: "Prohibition with reservation of permission", so to speak the reversal of evidence. We, as data processors, must be able to prove at any time that we have acted correctly. I don't have to be proven to have made a mistake, I have to prove that I didn't make a mistake.

How do I find the data?

Whether it is a housing company, a church or a sports club, every institution/company must comply with the right to information truthfully and completely. In addition to the problem of transmitting the data, for example in unencrypted e-mail, mail, fax, etc., there is also the problem of where this data resides on the internal systems. CRM and ERP systems are relatively easy to search, but what about the file system with Word, Excel, and Access data, and what about the data in the various archive systems, including e-mail? This so-called "unstructured" data is usually the biggest problem. Do I really have to search through everything now to provide all the information to the data subjects?

Art. 15 (3) states: “The controller shall provide a copy of the personal data undergoing processing.” That means yes, all data we have stored about the data subject must be disclosed - with very few exceptions.

For companies, it is now often difficult to find out where they have "processed" something about "whom" in what feels like several 10,000 to millions of docx or xlsx files. The data protection experts like to talk about toxic data here - toxic already because we should perhaps no longer have this data - the deletion concept sends its regards.

What should we do? Delete everything for safety's sake? What we don't have, we can't name. But can that really be the right way?

The better way is to track down the data and comply with the right to information of those affected. And how does that work? The magic word is AI-supported full-text search. I specify the keywords. These can be the name "Doe", possibly the first name "John", the date of birth "02-30-2000" and other personal data, including placeholders. I have my IT systems (databases, file system, etc.) searched for these terms. The Word documents, for example, are also searched directly for these keywords and displayed.

Now we only need to summarize the files and make them available to the data subject in a GDPR-compliant way. For example, with the help of the IntraFind software solution "iFinder", I can display the results via screenshots, exports in Excel, etc. and provide them to the affected party.

In my work as a data privacy officer, I have already had to respond to several requests for information. There was always the problem of where data is still available everywhere in the company. Human Relations (HR) in particular is a frequent target today: applicants are rejected, the data is unfortunately kept for "later purposes" and suddenly the request for information is there. But the applicant data has been given to other people in the company and no one knows to whom. It is then problematic if the applicant knows or suspects this. Former employees who left the company in disagreement usually also know what data was stored about them. They like to try to increase the severance pay a little bit. You must protect yourself from this. We have to become masters of the data again and know what we have stored.

As part of the creation of deletion concepts, I simply poked around on the "file server" with the administrators during the preliminary meetings with the companies. It is amazing what you can find there everywhere about data subjects and especially from which year. The GDPR has forbidden us this passion for collecting, now we must take care to know what we know or where it is.

Tracking down personal data quickly and completely with software support

Fines and claims for damages averted, preliminary work to implement the deletion concept completed: Only in this way can we fully comply with the main clause "prohibition with reservation of permission". This allows me to show at any time in court or before the data protection authority that I have fully provided the data stored about the "data subjects".

Personally, I am a big fan of products that bring added economic value: I have my data back under control and know about its contents. The possibility of permanent research is the real added value.

By implementing the IntraFind solution "iFinder" in my IT, I am no longer afraid of requests for information.  Because I can respond in a GDPR-compliant and complete manner.

For further considerations on the right to information of data subjects and especially on the retrieval of personal data in IT systems, whether structured or, as is often the case, unstructured in a file system, we are at your disposal.