Relevant Person Information Form (Data Subject Access Request Form, "DSAR") is one of the legal rights that individuals have constantly under the KVKK, and therefore it continues to give you a headache even after you fulfill your KVKK obligation. Because responding to this form takes time and effort, and you can't earn money for that effort and time because you can't charge a fee for answering the DSAR. You also have a maximum of 30 days to respond, so if you don't have the relevant department, you may even have to suspend your other projects and concentrate on this one.
DSARs are of course not the dark side of KVKK. It is a way for businesses that process personal data to show that they are processing the data in accordance with the law and that they actually fulfill the compliance process properly. When you do a KVKK study, you will not be able to be sure whether you are doing a correct study unless a DSAR request is received. If you are having trouble responding to DSAR, you may need to review your policies or inventory. This is never a bad thing! You can even consider yourself lucky to have the opportunity to review your KVKK work before being subject to a possible penalty by the institution. It is generally not preferred when doing KVKK studies, but the best way to ensure your KVKK compliance study is to do a hypothetical DSAR study. Be sure to do a hypothetical DSAR study before encountering an actual DSAR request. Thus, you will be prepared for any situation.
If you encounter a DSAR request, we would like to mention a few helpful tips on how to respond:
1- What exactly is DSAR?
Every natural person has the right to apply to the data controller regarding his data. This right is to learn whether personal data is processed, to request information if personal data has been processed, to learn the purpose of processing personal data and whether they are used in accordance with its purpose, to know the third parties to whom personal data is transferred, in case their personal data is incomplete or incorrectly processed. to request the correction of personal data and to notify the third parties to whom the personal data has been transferred, to request the deletion or destruction of personal data in the event that the reasons requiring processing are eliminated, although it has been processed in accordance with the provisions of the Law and other relevant laws, It includes the right to request notification to third parties, to object to the emergence of a result against it by analyzing the processed data exclusively through automated systems, to demand the compensation of the damage in case of damage due to unlawful processing of personal data.
Although it is a legal request, this request does not necessarily have to be written in legal language and look like an official request. For example, if you are a bank and a customer tells you:
What information do you keep about me?
I want to know what personal data you hold about me.
Can you please tell me how much personal data you hold about me and why?
I want to know what your personal data is.
Please send me all the data you hold.
At this point, it is possible to make things easier for both you and the person concerned by having a form prepared on your website or within your company. However, remember that you cannot force the person concerned to apply to you through this form.
2. Leverage technology
When someone asks you to provide a copy of the information you have about them, the first step will be to examine a mass of data media, including your server, emails, internal or external company correspondence, printed documents. Depending on the size of this environment, it will be difficult for you to analyze the data of that person and therefore to respond to the application form. You probably use a lot of software you create or buy to help support your business. While these technologies help you, they also increase the possibilities of data duplication and storage in more than one place. However, there are some ways to use technology to help you in this regard:
Retention period: Your standard settings are set to retain information forever. However, some platforms where data can be stored, such as Google and Microsoft, allow you to change the retention period and choose a retention period. Changing the retention period means that the system will automatically delete emails, instant messages or any data you transfer to this platform after a certain period of time. As you know, digital storage is expensive. By specifying the retention period, you can both reduce your expense and shorten your response time to the application form, as data that is already obsolete and that you no longer process is automatically deleted. But it's worth remembering, make sure to create a separate folder to save specific documents or emails that you want to keep longer, because you don't want to lose important emails due to the expiration of their retention period.
Search button: You will undoubtedly use the search bar to access data about the contact. You can search for a contact's full name, email address, or even job titles. But don't forget to use the search button properly to limit your search and pinpoint it. For example, when you want to access the data of the person named Ayşe Yılmaz, the search button will give you many results containing both the words Ayşe and Yılmaz, but if you add quotation marks to this search and search for "Ayşe Yılmaz", you will only get search results for the sentence in quotes.
Training: Get training on the program to fully use the storage auxiliary functions of the software you are using. For example, it may have some functions that allow the shared data not to be recorded by other people. In this sense, make sure that you take full advantage of the functions of the program.
Keep the data inventory up to date: If you are an institution that has to respond to the data subject application form, this also means that you have other data controller obligations, one of which is to keep an inventory. Inventory allows you to see the data you have processed collectively as an excel file. Inventory is your biggest assistant when responding to the contact form. For this reason, make sure that the inventory is always up to date.
Visual map: Visualize your systems and keep this visual map up to date to show where data is stored.
Avoid duplicating data and work from a single source if possible
3. The person concerned only has the right to learn about their processed data.
When the data subject applies to the data controller, this only gives him some rights. These rights have also been published in the Communiqué on the Procedures and Principles of Application to the Data Controller. In this context, for example, you do not need to notify him of every e-mail in which the name of the person is mentioned, because this is outside the scope of the right of application and your e-mails may contain commercial information for the company in which the customer's name is mentioned. Within the scope of this right, it is sufficient to provide only copies of actual personal data and not copies of documents containing these personal data. In this context, according to the desired scope, for example,
You can always contact us for your questions about the contact application form.
Comments