If you are asked what data you store about the data subject, it is important that you really disclose all the data. To do this, consult the compiled record of data processing and put together an overview based on this. If you store a particularly large amount of data, you should set up a process that allows the automatic retrieval of all the stored data “at the touch of a button.” It is important that the data subject can identify themselves accordingly e.g. with an identity card, passport, or driver’s license, before you send the data. This is necessary to ensure that personal data is never made available to an unauthorized person.

Here, you need to explain exactly where your customer data is located. This will probably be a hosting server. In addition, you need to disclose how the access to these servers is secured. You can ask your hosting provider for the required information.

A cancellation is the withdrawal of consent. How quickly you have to comply with the request depends on whether you have a legal retention period. This is usually not the case for a newsletter so you have to comply immediately with the request. However, things are different if the cancellation conflicts with a law. Read the exact procedure below.

First of all, there are different time limits. Accounting, tax and customs, contracting, employment and industry specific deadlines are areas that have different time periods. There are specific reasons for refusal in cancellation rights on the basis of these time periods. This means that an erasure request can only be denied if you require the corresponding data in order to comply with a legal obligation. This legal obligation results from the time periods named above. In practice, this means that a response must be given within one month of receiving an erasure request that must inform the applicant of the action taken or explain the reasons for the refusal.

No. The GDPR has two principles, among others. These are accuracy and memory limitation. This means that all personal data must be correct and up to date. Incorrect data must be deleted. The storage limitation means that data may only be saved and stored to the extent that it is needed for the actual purpose, meaning if it is no longer needed and doesn’t fall under a retention period, it must be actively deleted by you as described above.

Legal retention periods also apply here, as well as whether data needs to be stored for a specific use. For leads, the retention purpose is only given if you can already demonstrate an existing relationship with the customer. Otherwise, there is no reason to store it.

As long as you have to comply with the legal retention periods, e.g. for invoices that you, as a business owner, have to keep for country specific retention periods (10 years in Germany, 7 years in Austria), you cannot meet the erasure request. However, according to the current legal status, you must communicate this to the customer within one month of receiving the request.

A review is carried out by data protection authorities. This will ask about erasure processes, your erasure concept and retention periods, among other things. It is also entitled to request access to the data storage premises and carry out a detailed examination.

In principle, applications from affected parties must be processed within a month. In the case of complex issues, the possibility also exists to apply for a two month deadline extension.