GDPR Requirements
The data subject has a right of access to the following information: Processing purposes, categories of personal data, recipients or categories of recipients (third countries, organizations), planned storage time, right of rectification and erasure, right of appeal, origin of the data if the personal data was not directly collected, automated decision making including profiling (Article 15, (1)), safeguards in the case of data transfer to a third country (Article 15 (2)), copies of the personal data (Article 15(3)).
Resulting Challenge
Data subjects can make use of a request for information. The person responsible must be able to answer this request in written or electronic form. In this case, the person responsible must use all reasonable means to verify the identity of the data subject seeking information. If there are reasonable reasons to doubt the identity, the person responsible may request additional information. If the data subject cannot be identified, the person responsible may refuse to provide the information.
Technical Solution Approach
To support this challenge technically, flexible interfaces are necessary, which make it possible to request data from the system. For example, Representational State Transfer (REST) interfaces or other interface solutions could be used to retrieve data from the system explicitly. Accordingly, standard queries must be defined that extract relevant information (see EU-GDPR specification) from the backend. The information must then be identified to the user in the front-end by means of text and, if necessary, images. If the user only wishes to obtain specific information, selection functions must be provided. Depending on the selection, only the corresponding information is provided.
Checklist:
- Does the system provide a way to obtain information about a person and the data related to that person?
- Does the system include mechanisms to authenticate clients (person) which request information?