Article 15 of the GDPR establishes the right of access by the data subject as one of the key principles relating to the processing of personal data. 

"The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed..."

Main Things to Know

  • You must give individuals a way to confirm whether their data is being processed by you. 
  • Once an access to information request is made you must respond without undue delay and within 30 days. 
  • You must take reasonable steps to confirm the identity of the person making the request and you must provide the personal information you hold, the purpose of processing, the period for which the data is intended to be stored for, information on their rights to purge or lodge a complaint, and more. For a complete list of the information you will need to provide please see section 1 of article 15
  • If you have disclosed the information to any third parties, you must inform the data subject. 

What you could do to be compliant:  

Unfortunately, there is no easy way to ensure compliance with this article. Below you can find one possible approach for dealing with such requests:

1. Create a form that will manage data access to information requests. See an example of such a form here. You will be able to embed the form on a relevant page on your website or just include a link to the self-hosted form in your privacy policy page. Alternatively, you can create a landing page that will contain information data protection and privacy policies, which will link to this form amongst other relevant pages. This approach will also help you stay compliant with the right to be informed. You can see an example of such a landing page built using Gecko's landing page feature here: https://lp-eu.geckoform.com/demo/gdpr

2. You may also want to (although you are not required to) include a link to the form or landing page at the bottom of your emails or in other types of comms that would permit this. 

3. Configure a workflow on the form to trigger a message to your Data Protection Officer, or any other member of staff who would be responsible for taking action. You may also wish to add additional labels or update contact fields automatically on the go through workflows, which would allow you to easily filter your requests in the future. 

4. Once the DPO or the dedicated member of staff receives such a request, they will have to perform an export of the contact data out of Gecko through Settings > Export Data > New Export > Contacts. They would then configure a custom filter to target an individual student by name or email. You may need to export any related information from any third party systems as well. 

Access to Information with Gecko Protect: 

The new Gecko Protect add-on offers a feature called Contact Portal, which will offer the student an easy way to access and view the personal information you currently store. The contact will need to fill out a form and get an email or SMS with a unique and secure link to the portal. They may be required to go through an automated process to confirm their identity via email or SMS, after which they will be able to view any of their personal information you have on record within Gecko. 

Any questions? Feel free to start a live chat with a member of our support team or explore the rest of our academy at your leisure.

Did this answer your question?