Privacy Requests: Fundamentals

5minFidesPrivacy Requests

In this tutorial, we'll briefly walk through what a privacy request is, why they're important, and how to maintain compliance with privacy request requirements.

After reading this page, you'll be familiar with the key terms and concepts of privacy requests.

What are Privacy Requests?

Privacy requests, also sometimes called Data Subject Requests (DSRs or DSARs), are the rights afforded to a user whose data is processed by an organization.

The rights afforded to your users are based on their location and not your organization's!

Common Privacy Requests Rights

The rights for privacy requests afforded to a user are typically the following:

Right	Description
Access	The user has the right to access the personal data that was collected and processed about them, and understand what purposes it was used for.
Erasure	The user has the right to have all personal data or personally identifiable data deleted across any systems through the entire organization.
Rectification	The user has the right to update, or correct, personal information that the user believes to be incorrect about them.
Portability	The user has the right to obtain a machine-readable copy of their personal data such that it might be imported to another system.

Users or Data Subjects

In privacy parlance, the owner of the personal data collected by your organization (often the user of your product) is commonly known as a *subject.

A Data Subject is any type of user on whom you collect and process data, such as customers or employees.

Subject Identity Verification

When you receive a privacy request, you are responsible for confirming the identity of the subject to ensure that you do not incorrectly disclose data. To verify an identity, you may not request additional information you don't already retain about the subject. For example, you can't request a copy of a subject's drivers license if you don't already have this information.

Ethyca recommends using multi-factor authentication (MFA) for identify verification. Fides has built-in subject identity verifiation via MFA. Learn more about Subject Identify Verification here.

Authorized Agents

In some locations, an individual subject may submit a privacy request themselves directly, or appoint a third party, typically known as an authorized agent to submit on their behalf.

In the event you receive a privacy request from an agent, you must honor it provided you are satsified that the authorized agent has been appointed by the subject.

You should provide at least two publicly available, easy-to-find methods for your users to submit privacy requests via.

The most common methods to receive privacy requests include the examples below.

Receiving Privacy Requests

Although there are exceptions, most global privacy regulations require you to provide at least two methods of receiving privacy requests. The methods by which you accept and process privacy requests should be easily obtainable and are typically listed on your privacy policy.

The most common methods to receive privacy requests are:

Method	Description
Form	A publicly available form on your website or application, where a user may submit their privacy request.
Email	A publicly available email address, where a user may submit their privacy request.
Phone	A publicly available phone number, where a user may contact you to submit their privacy request.

Privacy Request Processing Timeframe

The subject's location determines the regulation that applies and with it, the time limit for when a privacy request must be completed. You may request an extension in some locations, provided you notify the subject promptly of the extension - typically within 28 days (Europe) and within 45 days (USA).

Regulation	Timeframe	Extension
GDPR (EEA & UK)	28 days (one calendar month)	56 days (three calendar month total)
US State Regulations	45 days	45 days (90 days total)
LGPD (Brazil)	15 days	--

Exceptions to Privacy Requests

There are some situations where you may not be able to, or required to, complete a privacy request. It's important to know when these might apply and how to manage them. In each case you should evaluate the circumstances and risks for your specific organization to ensure you're complying at all times.

Legal / Compliance Obligation

There are certain categories of personal data that you may be required to retain in order to fulfill legal or compliance obligations. In such cases, you're permitted to retain that data in the event when an erasure request is received- provided you restrict the use of the data to that purpose.

Example:

To correctly calculate and file tax liabilities, an e-commerce company, Cookie House, will need to use order history information and the user's location. If the customer makes a subject erasure request to Cookie House, the order history and zip code may be exempt from deletion provided they are used only to file taxes, and not for any other business purpose.

Confidentiality Risk

In circumstances where returning data to a subject might reveal confidential or sensitive information about any organization or another individual, you're not required to return that specific piece of information.

Example:

E-commerce company, Cookie House, provides an employment reference in confidence for one of their employees to another company. If the employee makes a subject access request to either company, the reference is exempt from disclosure.

Now that we've covered the basics, let's dive into configuring and managing privacy requests with Fides.

Privacy Requests Configuring Privacy Requests