[GDPR IV] How to Set Up Your GDPR Request Form
This information is provided as-is, based on our best understanding of the information publicly available and our consultations with our legal counsel. This is not legal advice, and we cannot answer questions about your particular situation. You should consult with your own legal counsel if you have questions about your obligations under the GDPR.
A cornerstone of the GDPR is the affirmation of the rights of individuals (the Data Subjects) to maintain greater control over the processing on their own personal data. These rights covers three main areas:
- Right to access to personal data and the information related to processing (Art. 12, 13, 14 and 15 and Art. 20, right to data portability)
- Right to rectification in case the data is incomplete or inaccurate (art. 16)
- Right to erasure or restriction of processing by withdrawal of consent or objection to the legal ground for processing. (art. 17, 18 and 21)
In order for individuals to exercise their rights, the GDPR (in recital 59) states that “The controller should also provide means for requests to be made electronically, especially where personal data are processed by electronic means.”
This can be easily done with FormAssembly. We’ve prepared a GDPR Request template that you can customize for your own use.
In order to process a GDPR request effectively, your form will need to cover the following:
1. Collect Name and Proof of Identity
You must be able to verify the identity of the person making the request before you can do anything with their personal data (see Art. 12.2 and recital 64). A reasonable and generally accepted way of verifying identity is to request a copy of a Photo ID, such as a national identity card, passport, or driving license. You may also consider integrating your GDPR request form with a third-party Identity Verification service like Trulioo.
2. Collect Address and Proof of Address
The GDPR only applies to residents of the European Union, and you would not be obligated to respond to a request if you can’t ascertain that the person is indeed a EU resident. Requesting a recent utility bill, bank statement, driving license, or tax document is a generally accepted means of verifying someone’s address. Note that the requirement is for the person to reside in the EU. Citizenship is not required.
3. Collect Nature of the Request
To facilitate the processing of the requests, guide the individuals by allowing them to specify the nature of their request: access, rectification, erasure, objection to processing, or other. Then provide a free-text field for them to substantiate the request. You will want them to specify the information or processing activity to which the request relates. (Recital 63. item 7).
4. Disclose What Will Happen to the Data Submitted
Since you are collecting additional personal information in order to process the request, this information is itself covered by the GDPR, and you will need to provide the standard disclosures. In particular, you’ll want to clarify that,
- The information is processed solely for the purpose of validating their identity and answering their request.
- The information is shared only with the party(es) needed to answer the request.
- The information will be deleted immediately after processing the request.
- The information is handled in compliance with GDPR.
5. Explain How You Will Process the Request
State in the form, and the accompanying confirmation page and email, that you will reply within 30 days (as required under Art 12.3). The period may be extended upon notice two more months for complex or numerous requests (Art 12.3). The processing of the request is free of charge (as required by Art 12.5), but you may want to reserve the right, as allowed under the GDPR, to charge a reasonable fee to cover certain administrative costs (such as providing additional copies of the data) or for handling manifestly unfounded or excessive requests (Art. 12.5).
6. Enable E-signature
FormAssembly e-signature feature allows you to obtain a time-stamped, unfalsifiable record of the request. This is a simple to set up precaution that could become useful should there be any dispute about the handling of the request.
7. Set Up an Auto-responder to Acknowledge Receipt of the Request.
FormAssembly’s auto-responder is also easy to set up. It’s a good place to be transparent and reiterate the process used to handle the request.
8. Set Up Notifications and/or Connectors
Finally, you’ll want to be notified as soon as a request is submitted. Address the email notification to your Data Privacy Officer if you have one, or any other designated person. You may use FormAssembly as your repository for collecting and working through those requests, or forward the request to a third-party system like Salesforce using our connectors.
Learn more about the GDPR in our comprehensive FAQ.