What to provide:

☐ If the personal data were directly provided by the data subject, provide all the information enlisted in Article 13.1 GDPR;

☐ If the personal data were not provided by the data subject, provide all the information enlisted in Article 14.1 – 2 GDPR;

☐ If the information were already fully provided to the data subject, no need to comply with this obligation anymore.

When to provide:

☐ At the time the information was collected from the data subject;

☐ When the data are not collected from the data subject:

☐ within a reasonable period after obtaining the personal data, but at the latest within one month;

☐ if the personal data are to be used for communication with the datasubject, at the latest at the time of the first communication to that data subject;

☐ if a disclosure to someone else is envisaged, at the latest when the personal data are first disclosed.

How to provide:

☐ Concisely;

☐ Transparently;

☐ Intelligibly;

☐ Easily accessible;

☐ In a clear and plain language.

Exemptions:

☐ When the data subject already has all the relevant information;

☐ If the personal data were notprovided by the data subject:

☐ When the provision of information is impossible or disproportionate.

Is the exercise of the right of access compliant with the GDPR?

☐ Did you receive an access request from a legal entity?If yes, please indicate that the request was not lodged by an individual and deny the request;

☐ Has the data subject correctly identified herself? If not, please ask for further information to confirm the identity;

☐ Can the request be fulfilled within one month? If not, please inform why and how long it will it take to process the request (without exceeding the time limits provided in the GDPR, see Section 6);

☐ The request needs to be fulfilled.

How to further comply with all the GDPR obligations:

☐ Provide all the information listed in Article 15.1-2 GDPR;

☐ If the information intertwines with the one from other individuals, please carry out a balancing testas to whether the disclosure to the individual that has filed the request does not affect the personal data of the other individual;

☐ Provide the data subject with a copy of the personal data being processed. For any additional copies requested by the data subject, the controller can charge a reasonable fee.

Best practices:

☐ Provide a specific form that the data subject could easily fill in and submit;

☐ Provide all the information in a commonly used electronic format, unless the data subject requests otherwise.

☐ Did you receive a rectification request from a legal entity? If yes, please indicate that the request was not lodged by an individual;

☐ Has the data subject correctly identified herself? If not, please ask for further information to confirm identity;

☐ Can the request be fulfilled within one month? If no, please inform why and how long will it take to process the request?

☐ Do you need a proof of inaccuracy or additional information to rectify the data? If yes, please ask for further information to the data subject. Remember not to place an unreasonable burden of proof on the data subject

☐ The request needs to be fulfilled.

How to further comply with all the GDPR obligations:

☐ Communicate the data to each recipient to whom the personal data has been disclosed, unless this proves impossible or involves disproportionate effort.

Is the exercise of the right to erasure compliant with the GDPR?

☐ Did you receive an erasure request from a legal entity? If yes, please indicate that the request was not lodged by an individual;

☐ Has the individual correctly identified herself? If not, please ask for further information to confirm identity;

☐ Does the request fall within one of the scenarios laid down in Article 17.1 GDPR? If not, please inform and explain to the data subject that the request shall be denied;

☐ Does the request satisfy one of the exemptions provided by Article 17.3 GDPR? If yes, please inform and explain to the data subject that the request shall be denied;

☐ Can the request be fulfilled within one month? If not, please inform why and how long will it take to process the request.

☐ The request needs to be fulfilled.

How to further comply with all the GDPR obligations:

☐ Make data unusable in a way that prevents you and any other party from (re-)accessing and (re-)processing the data;

☐ Communicate the erasure to each recipient to whom the personal data has been disclosed, unless this proves impossible or involves disproportionate effort;

Is the exercise of the right to restriction of processing compliant with the GDPR?

☐ Did you receive a request to restrict data the processing from a legal entity? If yes, please indicate that the request was not lodged by an individual;

☐ Has the individual correctly identified herself? If not, please ask for further information to confirm identity;

☐ Does the request fall within one of the scenarios laid down in Article 18.1 GDPR? If not, please inform the data subject that the request shall be denied;

☐ Can the request be fulfilled within one month? If not, please inform why and how long will it take to process the request?

☐ The request needs to be fulfilled.

How to further comply with all the GDPR obligations:

☐ Remember that the restriction does not encompass the data storage;

☐ When restriction is pending, personal data can still be processed under the circumstances laid down in Article 18.2 GDPR;

☐ Communicate the restriction of the processing to each recipient to whom the personal data has been disclosed in compliance with Article 19 GDPR, unless this proves impossible or involves disproportionate effort.

Is the exercise of the right to data portability compliant with GDPR?

☐ Did you receive a request for data portability from an individual? If not, please indicate that the request was not lodged by an individual and indicate that the request should be made following the relevant legislation;

☐ Is the portability request made by several data subjects? If yes, make sure that all of them agree on the request;

☐ Has the data subject correctly identified herself? If not, please ask for further information to confirm identity;

☐ Are data processed on one of the lawful bases provided in Article 20.1 GDPR? If not, please inform the data subject that her request shall be denied;

☐ Is the data processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller? If yes, please inform the data subject that her request shall be denied;

☐ Can the request be fulfilled within one month? If no, please inform why and how long will it take to process the request?

☐ The request needs to be fulfilled.

How to further comply with all the GDPR obligations:

☐ If the information intertwines with the one from other individuals, please carry out a balancing test;

☐ Transmit data in structured, commonly used and machine-readable formats;

☐ Transmit data in a secure way.

Is the exercise of the right to object compliant with GDPR?

☐ Did you receive an objection request from a legal entity? If not, please indicate that the request was not lodged by an individual.

☐ Does the request fall within one of the exceptions laid down in Article 21.2-6 GDPR? If yes, please inform the data subject that the request shall be denied.

☐ Has the data subject correctly identified herself? If not, please ask for further information to confirm identity.

☐ Can the request be fulfilled within one month? If not, please inform why and how long will it take to process the request.

☐ The request needs to be fulfilled.

How to further comply with all the GDPR obligations:

☐ Check the data subject’s particular situation aim at balancing its rights with the legitimate ones of others in processing their data.

How to comply with all the GDPR obligations:

☐ Does the automated decision-making fall within one of the exemptions laid down in Articles 22.2 and 22.4? If yes, you can proceed with the data processing;

☐ Inform the data subject about the existence of the automated decision-making, including also an explanation of the logic involved and the potential consequences for the data subject.