Anyone can request access to information about the processing of their own personal data from the relevant data controller. How do you approach this kind of request?
Antonia Lopez is a student at a Swiss university. As part of a well-informed and privacy-conscious generation, she wants to know what happens to her data. She writes a brief data access request and sends it to email@example.com.
The request from Antonia Lopez lands in the firstname.lastname@example.org inbox. This e-mail account is managed by the university's administrative office and they are unsure what to do with the request. As a precaution, they forward it to the university’s internal Legal Services department. But they, too, aren’t sure how to proceed. Heavy workloads result in the request finally being processed three weeks later. As the law stipulates a deadline of 30 days for responding to such requests, speed is of the essence here. Without verifying the requester’s identity, Legal Services enquires with various departments at the university to check whether Antonia Lopez’s data is being processed. Antonia receives the aggregated result by e-mail within the deadline but without any further verification. The legal department realizes too late that there are two students at the university with the same name and that it has inadvertently given out information about the "other" Antonia.
Fortunately, it was possible to settle the matter with the parties involved without any major (reputational) damage. Nevertheless, the incident was an eye-opener for the university and prompted it to implement much-needed processes.
With support from SWITCHlegal, the university defined responsibilities and processes, published a dedicated e-mail address for this kind of requests in a suitable place on its website and created templates for standard responses. It also introduced new technical measures to be able to provide the data in an uncomplicated and user-friendly manner as JSON files. It held a small workshop to generate the required interdepartmental awareness around this process. These measures ensure that in the future, the university will be able to provide a professional, legally compliant response to these requests – which are increasing all the time.
This is a fictional case that did not happen in this way. The name ‘Antonia Lopez’ was chosen at random without reference to an actual living person.