By Claude-Étienne Armingaud and Inès Demmou
With its December 2021 fine imposed on French telephone operator Free Mobile, the French data protection authority (CNIL) reiterated the importance of responding to data subject access requests (DSARs) within the relevant timeline (usually 30 days), with all the relevant and required information (Article 13 and 14 GDPR) and ensuring the security of users’ personal data (Article 32 GDPR).
Another sanction by the Dutch Supervisory Authority relating to the principle of data minimization confirmed that such DSARs could not be conditioned by overly complex mechanisms, such as a requirement to upload a full copy of an identity document.
These sanctions demonstrate that data subjects have acquired the awareness necessary to exercise their rights, and that data controllers must implement effective channels and internal processes to handle DSARs properly, effectively, in a timely manner, and in a way that would not, in turn, generate its own set of breaches of the GDPR.
To find out more, see our full alert here.