Requests for access to personal data which entrepreneurs receive from public institutions, such as the Social Insurance Institution (ZUS) or institutions offering social assistance, most often concern:
All such requests should be treated with as much caution as requests from other companies or natural persons. The request for access to data should also be also examined in detail in order to assess its potential execution.
Typical elements of a data request are:
We know from experience that most mistakes are made when determining the legal basis for obtaining personal data. It should always be verified for its accuracy and timeliness. First of all, Article 6 (c) of GDPR should be indicated, and then a provision ensuring the compatibility of the processing of the data necessary to fulfil the legal obligation. The choice of an appropriate regulation depends on the category of institution requesting access to personal data. The most frequently used provisions include:
It is important to provide only as much data as the situation requires.
What to do if there are any errors in the received request for personal data access? First of all, it is necessary to call on the applicant to correct the errors, e.g. the legal basis, the scope of the data or the purpose for which the data are provided.
If the request for personal data does not specify the method of transmission, it should be chosen so as to ensure, in the first place, adequate protection of the data filing system according to the internal procedures for personal data processing.
Example: If you receive a request for personal data in an unencrypted message, it will be a good practice to send it back in an encrypted way with a password to the file through another communication channel.
Contact our expert
Personal data protection