Exercise of the rights of the data subject – how long does it take?
One of our clients received a request from one of the employees (Mr. X) to obtain a copy of the data collected about him and information for what purposes and where they are processed. At first, the DPO who received the request thought “nothing terrible” and sent a request to all managers of organizational units to send him a copy of Mr. Iksiński’s data and information on which systems and locations his data are processed. It is not difficult to imagine the confusion in the organization caused by this news, and that it absolutely did not help the Inspector.
Time was running out, and the DPO did not know which of the 5 men of X, whose data the organization had, was the person applying for the implementation of their rights, or how to go about their fulfillment. As a consequence, it took 12 days of work to identify the data subject, fulfill its requests and reply. Based on these experiences, we designed the process of implementing the rights of data subjects in BPM GDPR.
It provides not only the possibility of supervising the applications that come to the organization, related to the implementation of the rights of data subjects, but also the unequivocal identification of the applicant. Thanks to the connections built using the register of processing activities, we can efficiently and automatically search for resources (systems and rooms) in which the data of the person applying for the implementation of the right are processed, the activities in which the data of the applicant takes part and the persons who will be able to support the DPO in the implementation of a given rights (resource owners). After identifying the connections, the system will allow us to start the process of implementing the law, directing appropriate tasks to individual people.
The implementation of similar requests, after the implementation of the BPM GDPR platform in the organization, shortened the time necessary to handle the data subject’s request to 1 day.
The Office of Personal Data Protection in September this year. imposed another administrative penalty on an entity that failed to comply with obligations that stem directly from the RODO.
Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on on the protection of Union law whistleblowers, is already in effect as of December 17, 2021. However, until today (25.07.2022), a law clarifying the requirements of the Directive on the protection of whistleblowers has not appeared in the Polish legal order.