Privacy Requests: Fundamentals
In this tutorial, we'll briefly walk through what a privacy request is, why they're important, and how to maintain compliance with privacy request requirements.
After reading this page, you'll be familiar with the key terms and concepts of privacy requests.
Privacy requests, also sometimes called Data Subject Requests (DSRs or DSARs), are the rights afforded to a user whose data is processed by an organization.
The rights for privacy requests afforded to a user are typically the following:
|The user has the right to access the personal data that was collected and processed about them, and understand what purposes it was used for.
|The user has the right to have all personal data or personally identifiable data deleted across any systems through the entire organization.
|The user has the right to update, or correct, personal information that the user believes to be incorrect about them.
|The user has the right to obtain a machine-readable copy of their personal data such that it might be imported to another system.
In privacy parlance, the owner of the personal data collected by your organization (often the user of your product) is commonly known as a *subject.
When you receive a privacy request, you are responsible for confirming the identity of the subject to ensure that you do not incorrectly disclose data. To verify an identity, you may not request additional information you don't already retain about the subject. For example, you can't request a copy of a subject's drivers license if you don't already have this information.
In some locations, an individual subject may submit a privacy request themselves directly, or appoint a third party, typically known as an authorized agent to submit on their behalf.
In the event you receive a privacy request from an agent, you must honor it provided you are satsified that the authorized agent has been appointed by the subject.
The most common methods to receive privacy requests include the examples below.
The most common methods to receive privacy requests are:
|A publicly available form on your website or application, where a user may submit their privacy request.
|A publicly available email address, where a user may submit their privacy request.
|A publicly available phone number, where a user may contact you to submit their privacy request.
The subject's location determines the regulation that applies and with it, the time limit for when a privacy request must be completed. You may request an extension in some locations, provided you notify the subject promptly of the extension - typically within 28 days (Europe) and within 45 days (USA).
|GDPR (EEA & UK)
|28 days (one calendar month)
|56 days (three calendar month total)
|US State Regulations
|45 days (90 days total)
There are some situations where you may not be able to, or required to, complete a privacy request. It's important to know when these might apply and how to manage them. In each case you should evaluate the circumstances and risks for your specific organization to ensure you're complying at all times.
There are certain categories of personal data that you may be required to retain in order to fulfill legal or compliance obligations. In such cases, you're permitted to retain that data in the event when an erasure request is received- provided you restrict the use of the data to that purpose.
To correctly calculate and file tax liabilities, an e-commerce company, Cookie House, will need to use order history information and the user's location. If the customer makes a subject erasure request to Cookie House, the order history and zip code may be exempt from deletion provided they are used only to file taxes, and not for any other business purpose.
In circumstances where returning data to a subject might reveal confidential or sensitive information about any organization or another individual, you're not required to return that specific piece of information.
Now that we've covered the basics, let's dive into configuring and managing privacy requests with Fides.