Requests for access and deletion are becoming increasingly common and, in practice, prove to be much more complex than they appear at first glance. Organizations are struggling with fragmented data, tight deadlines, and difficult decisions about what should and should not be provided or deleted. In this interview, Vonne Laan, privacy lawyer and partner at The Data Lawyers, explains where things often go wrong and why a careful approach is crucial. She also shares how recent case law and good policy can make a difference.
Requests for access and deletion are clearly on the rise. This is because data subjects are becoming more aware of their rights and how they can request access to their data, for example. In practice, organizations mainly get stuck on the fragmentation of data within the organization: how do you retrieve all the data within the deadline and how do you proceed in practical terms to process the request for access? There is also often much discussion about what exactly falls within the scope of the request: what personal data must be found and provided, how broadly should you search, and how do you deal with information about third parties or internal notes? Precisely because privacy requests are increasingly being used as a stepping stone to a complaint to the supervisory authority or legal proceedings, it is important to handle them properly. In this course, you will learn how to define the scope of a request and make the processing of a request practically workable.
Because a request for access is rarely a simple "data export." It is an internal decision-making process in which you have to make choices about how to interpret the request, any follow-up questions, search results, how to formulate the response, and the reasoning behind it. If you have someone with no knowledge of the matter handle the requests, you run the risk of nuances being missed, or indications that the request is a prelude to legal proceedings. It is also possible that legal exceptions will be missed or that the request will not be handled in line with the legal framework for other reasons. Or that too much information is provided, which is then used in proceedings against the organization. In short: privacy requests are best handled with care. And with a good policy in place, that is perfectly possible. The course also covers topics and tips to include in such a policy.
The right to erasure is not an automatic "delete button." An organization may sometimes refuse a request for erasure, for example, when data is needed to establish, exercise, or defend legal claims. Sometimes the organization must even refuse the request, for example, when there is a legal obligation to retain data (such as tax obligations). In practice, things often go wrong because organizations agree to delete data too quickly, leaving themselves with no evidence to fall back on. Conversely, we also often see deletion requests being refused too quickly, without proper justification. In the course, we discuss the grounds for data erasure, the exceptions, and also the obligation to notify third parties. This clarifies when erasure is required and when you may refuse the request.
Yes, case law has made it much clearer in recent years how broad the right of access can be, including in relation to internal communications, metadata, log data, and the question of what constitutes a "copy" that must be provided. You also see that judges and regulators are taking a more critical look at overly general refusals and insufficiently substantiated redactions (blacklining). This means that organizations need to regularly review their standard approach. In the course, we discuss current case law and practical cases, precisely so that participants not only learn "the law," but above all how the rules are actually applied today and where the boundaries lie.
Identification often goes wrong because organizations either do too little checking (with the risk of providing information to the wrong person and thus a potential data breach), or they routinely ask for a copy of ID, even though this is not always proportionate. In the case of excessive or unfounded requests, you see that "it takes a lot of time" is too quickly equated with "excessive," which is not in line with the GDPR. In the course, we therefore discuss concrete methods for identification and for assessing excessiveness.
Open standards need to be translated into practice. Simply repeating the legal provisions in a "Protocol on the rights of data subjects" or similar document is not enough. Practical choices also need to be made in internal policy: which systems will be used, by whom, and for what search terms? How is this communicated to the data subject? Can the data subject still make their own choices in this regard? Who receives the requests internally? Who assesses whether it is a privacy request under the GDPR and, if so, is it forwarded to a dedicated person internally for processing? Who is responsible internally for monitoring and complying with the legal deadlines? All this requires a clear translation of the law into the organization and practice, but also good cooperation between, among others, legal, the DPO, IT, and often HR. In the course, you will learn how to translate the open standards into concrete work instructions and assessment frameworks, enabling you to act more quickly and strengthen your legal position.
