Data Subject Rights

Data Subject Rights

Data Subject Rights

The GDPR explicitly states certain rights for the data subjects in Articles 12 to 23. We need to understand and fulfill them when individuals seek to exercise those rights.

  • Right of access: The subject's right to obtain from the controller, the confirmation as to the processing of their data and furthermore request to access their personal information. 
  • Right to rectification: The subject's right to ensure that their personal data is accurate and updated as needed.
  • Right to erasure or be forgotten: The subject's right to ask the controller for the erasure of their personal data without undue delay.
  • Right to object and restriction of processing: The subject's right to object to the processing of their data and even restrict it if they so desire.
  • Right to data portability: The subject's right to obtain their information in a structured and machine readable format or have their data transferred to another organisation if feasible.
  • Right to be informed: The subject's right to be informed of how and why their personal data is being processed. Also, they have the right to know if the data is being shared with other third-party. This can be addressed by identifying the appropriate lawful bases to process data. In case of a consent being , getting proper
  • Right to be notified: In case of a data breach, the data subjects need to be informed within 72 hours of first having become aware of the breach.

Add Data Subject Requests

There are two ways in which the above mentioned requests can be collected.

  • Manual

    • The data subjects can send requests to you in an email.
    • You can get the request on a call or orally, in person.
  • Automatic

    • Send Data Request link via email.
      The requests raised by your customers will by automatically captured in the CRM.

Add Data Subject Requests Manually

On collecting the requests, you need to update it in your CRM account and do the needful actions to handle the requests.

To add a data subject's request in your account

  1. Click open the data subjects record in your CRM account.
    The record could be in the Leads, Contacts, Vendors or any other custom module for which GDPR Compliance is enabled.
  2. Click Data Privacy.
    Under the Data Subject Requests section, click the Add Request link.
  3. In the New Request popup, select a request and click Done.
    The request will be added for the record.

Handle Requests Within the CRM

Let us understand how these requests can be handled within the CRM.

Access (Right to Access)

Using the CRM's email templates you can create templates with the customer personal data using merge fields. This template can be used to send emails when data subjects request to have access to their information. Data subjects can also access their information through customer portals, which is available in the Enterprise Edition. 

To send an email with the data subject's information

  1. Click open the data subjects record and click Data Privacy.
  2. Under the Data Subject Requests section, click the Add Request link.
  3. In the New Request popup, select Request to access data.
  4. Click Done.
    The request will be added to the record.
  5. Click Send email for the Request to access data.
  6. In the email composer, select the email template with the merge fields and send the email.

Rectify (Right to Rectify)

You need send a email with the CSV file that contains the data subject's information. Data subjects can rectify the information in the CSV file and send it back to you to import it in your CRM account and and update the information. Data subjects can also themselves rectify and update their information through the customer portals, which is available in the Enterprise Edition.

To send and email to rectify data subject's data

  1. Click open the data subjects record and click Data Privacy.
  2. Under the Data Subject Requests section, click the Add Request link.
  3. In the New Request popup, select Request to rectify data.
  4. Click Done.
    The request will be added to the record.
  5. Click Send email for the Request to rectify data.
    An email composer will open, with a CSV file as attachment. The attachment contains the data subject's information that is available in the selected module.
  6. In the email composer, draft the email and send.

Export (Right to Portability)

Data Subject information is be exported, attached to an email and sent in a machine readable format (CSV format), all without being downloaded on to the Controller's device.

To send a copy of the data subject's data

  1. Click open the data subjects record and click Data Privacy.
  2. Under the Data Subject Requests section, click the Add Request link.
  3. In the New Request popup, select Request to export data.
  4. Click Done.
    The request will be added to the record.
  5. Click Send email for the Request to export data.
    An email composer will open, with a CSV file as attachment. The attachment contains the data subject's information that is available in the selected module.
  6. In the email composer, draft the email and send.

Stop Processing (Right to Stop Processing)

Once they exercise this right, you need to stop processing the data subject's information. To handle this, the CRM has the option to lock the data subject's information and prevent it from further processing. When a record is locked, the details in the record, will be locked from further use or processing in CRM. For example, emails will not be sent from workflow rules, you cannot edit the record, share it, run macros on it or even merge it with its duplicate.

To lock the record

  1. Click open the data subjects record and click Data Privacy.
  2. Under the Data Subject Requests section, click the Add Request link.
  3. In the New Request popup, select Request to stop processing data.
  4. Click Done.
    The request will be added to the record.
  5. Click Lock for the Request to stop processing data.
  6. Click Yes, Proceed to confirm.
    The record will be locked. You cannot perform any actions for the record, as mentioned earlier.

Erase (Right to be forgotten)

Once exercised, the data subject's information can be locked for the duration of the retention period defined in the Data Controller's terms of service. During this period data will not be processed in the CRM, after which the controller has the option to delete the data subject's information. Once deleted, the record's email address will be moved to a block-list and the re-entry of the same data will be prevented via import, synchronization, etc. However, you will have the option to manually add a record with the same email address.

Note

  • Users should have Manage Compliance Settings permission to move a record to blocklist.
  • When a record is block-listed, all the records bearing the same email address will be deleted across all the GDPR enabled modules.
  • The block-listed records can neither be retrieved nor be viewed.
  • When a record is block-listed, it is deleted from the CRM. However, all the records associated to the block-listed record will not be deleted. The associated will be removed. For example, a task associated to a block-listed lead will remain in you CRM account but it will no longer be associated to the lead.

To lock and block-list the record

  1. Click open the data subjects record and click Data Privacy.
  2. Under the Data Subject Requests section, click the Add Request link.
  3. In the New Request popup, select Request to delete data.
  4. Click Done.
    The request will be added to the record.
    • Click Lock to stop processing the data before deleting it.
    • Click Move to block-list to delete it from your CRM account.
      In the Blocklist Record popup, click Move to blocklist.

      The record will be deleted and the email address will be added to block-list.
  5. Click Yes, Proceed to confirm.

Add Data Subject Requests Automatically

Add the data subject request link in the email or create an email template and send it to your data subjects. This allows them to submit a request in the CRM on their own.

To add data request link in email template 

  1. Go to Setup > Customisation > Templates.
  2. Select the Email tab and click +New Template.
  3. In the Create Email Template pop-up, select the module and click Next.
  4. Choose a template from the Template Gallery.
  5. Click the  (Add Link) button
  6. In the Add Link window, do the following:
    1. Select Data Request from the Link Type drop-down list.
    2. Choose the Data Request Type by enabling the checkbox.
      Click Select all to add all the types.
    3. Select the Language from the drop-down list and click Save.

  7. Save the Template.

To add data request link in email 

  1. Go to the Record Details page and click Send Email.
  2. In the compose window, click  (Add Link) button and select the  (Data Request) icon.
  3. Choose the Data Request Type by enabling the checkbox.
    Click Select all to add all the types.
  4. Select the Language from the drop-down list and click Save.
  5. Click Send.

Raise Data Request

By using the Data Request link, the customer can raise a request and it will be automatically captured in the CRM. Your customers can follow the given steps to raise a data request.

To raise Data Request

  1. Your customers can click Data Request Link from the email.
  2. Add a request of their choice.
  3. Confirm the request.
  4. This request will be captured in the Data Privacy section of the respective records.

View All Open Requests

The Overview section in the GDPR Compliance Settings provides a consolidated view of all the requested sorted module-wise. You can view the list of all the record for a particular request.

To view all open requests

  1. Click Setup > Users and Control > Compliance Settings > Overview.
  2. In the Open Data Subject Requests section, click on a request to view the corresponding records.
  3. Review the implications and click Restrict Personal data to proceed.
The content presented herein is not to be construed as legal advice. Please contact your legal advisor to know how GDPR impacts your organisation and what you need to do to comply with the GDPR.


    • Related Articles

    • Data Privacy for Portal Users

      Data Privacy for Portal Users Data Processing Basis As a Data Controller, to be GDPR compliant you need to process data based on one of the lawful bases. Based on your business requirement and discretion you can choose a processing basis from the ...
    • Managing Lawful Bases for Data Processing

      Managing Lawful Bases for Data Processing Switch on GDPR Compliance options The Lawful Bases Applying Lawful Bases with the CRM Change lawful basis for records. View Details and History View Dashboard Switch on GDPR Compliance options Under ...
    • Data Privacy

      Data Privacy View Data Source View Personal Fields Manage Data Processing Bases A record's details are available in two sections - Info and Timeline. When you switch on GDPR Compliance in your CRM account, you will be able to view another section, ...
    • Data Migration - An Introduction

      Data Migration - An Introduction Migrate Options Before you migrate Migration checklist The Data Migration wizard in the CRM ensures that your data is migrated accurately and helps you reduce much of the manual work. It automatically maps import ...
    • Data Security Types - An Overview

      Data Security Types - An Overview Managing the complexities of security administration is one of the growing concerns in any enterprise, especially those open to e-commerce or with large networks. In such demanding times, the availability of Security ...