The process is outlined below,
- The data subject sends a DSAR (Data Subject Access Request) to the organisation.
If the request is received by the data processor (Veremark, acting on behalf of a client), they must, in accordance with their contractual agreement and data protection regulations, forward the request to the data controller without undue delay. This ensures the data controller, who determines the purpose and means of processing, can handle the request directly.
The data controller is then responsible for acting on the DSAR. They must respond to the data subject within a specified timeframe (typically one calendar month) and provide the requested information or take the requested action (e.g., erasure, rectification). The data processor may assist the controller in this process as contractually required.
- If the data subject believes the response is insufficient or their rights have not been respected, they have the right to lodge a complaint with the relevant data protection authority.