Where is my data?

Anyone can request access to information about the processing of their own personal data from the relevant data controller. How do you approach this kind of request?

Text: Benedikt Saner, published on 23.11.2022

Antonia Lopez is a student at a Swiss university. As part of a well-informed and privacy-conscious generation, she wants to know what happens to her data. She writes a brief data access request and sends it to info@swissuniversity.ch.

An oversight

The request from Antonia Lopez lands in the info@swissuniversity.ch inbox. This e-mail account is managed by the university's administrative office and they are unsure what to do with the request. As a precaution, they forward it to the university’s internal Legal Services department. But they, too, aren’t sure how to proceed. Heavy workloads result in the request finally being processed three weeks later. As the law stipulates a deadline of 30 days for responding to such requests, speed is of the essence here. Without verifying the requester’s identity, Legal Services enquires with various departments at the university to check whether Antonia Lopez’s data is being processed. Antonia receives the aggregated result by e-mail within the deadline but without any further verification. The legal department realizes too late that there are two students at the university with the same name and that it has inadvertently given out information about the "other" Antonia.

Happy ending

Fortunately, it was possible to settle the matter with the parties involved without any major (reputational) damage. Nevertheless, the incident was an eye-opener for the university and prompted it to implement much-needed processes.

With support from SWITCHlegal, the university defined responsibilities and processes, published a dedicated e-mail address for this kind of requests in a suitable place on its website and created templates for standard responses. It also introduced new technical measures to be able to provide the data in an uncomplicated and user-friendly manner as JSON files. It held a small workshop to generate the required interdepartmental awareness around this process. These measures ensure that in the future, the university will be able to provide a professional, legally compliant response to these requests – which are increasing all the time.

 

Disclaimer

This is a fictional case that did not happen in this way. The name ‘Antonia Lopez’ was chosen at random without reference to an actual living person.

 

About the author
Benedikt   Saner

Benedikt Saner

Benedikt Saner works for the SWITCHlegal service. He advises clients from the education, research and innovation community on all ICT legal matters in a solution-oriented and pragmatic manner. Before he joined SWITCH, he worked as a lawyer at a Zurich-based law firm.

E-mail

About SWITCHlegal

SWITCHlegal offers the education, research, and innovation community tailored legal advice at a preferential rate. Benefit from our many years of experience and networking within the university landscape, our specialism in ICT law, and our valuable synergies with IT specialists.

Other articles