Data Access Requests
Handling GDPR Article 15 subject access requests.
What is a Data Access Request?
Under GDPR, individuals have the right to:
- Obtain confirmation that their data is being processed
- Access their personal data
- Receive information about how their data is used
Request Handling Checklist
Step 1: Verify Identity
- Confirm requester's identity matches account holder
- Request ID verification if submitting via email (not logged in)
- Check email matches registered account email
- Document verification method used
Step 2: Acknowledge Receipt
- Send acknowledgment email — Within 48 hours
- State expected completion date — Within 30 days of verified request
- Provide reference number — Immediately
Template acknowledgment:
"We have received your data access request dated [DATE]. Your request reference is [REF]. We will respond within 30 days as required by GDPR. If we need additional information to verify your identity, we will contact you."
Step 3: Gather Data
Collect data from all sources:
- Corsair Connect — Profile, transactions, commissions, wallet history
- CSRnow — CSR holdings, retirement records, Hall of Fame entries
- Support — Ticket history, communications
- KYC/KYB — Verification documents, approval records
Step 4: Prepare Response
The response must include:
- Purposes — Why data is processed
- Categories — Types of personal data held
- Recipients — Who data has been shared with
- Retention — How long data will be stored
- Rights — Their rights to rectification, erasure, restriction
- Source — Where data was obtained (if not from them)
- Automated decisions — Any profiling or automated decision-making
Step 5: Deliver Response
- Secure portal download — Preferred method
- Encrypted email — If portal not available
- Registered mail — If specifically requested
Response Timeline
- Acknowledgment — 48 hours
- Initial response — 30 days
- Extension (complex requests) — +60 days with notification
Extension only permitted when:
- Request is complex
- Multiple requests received from same individual
- Member notified within original 30 days with reasons for extension
Data Format
Provide data in:
- Structured format (CSV, JSON) for portability
- Readable summary (PDF) explaining what the data means
- Original documents (KYC images) if specifically requested
Common Scenarios
Scenario: Member wants all their data
- Verify identity
- Export from all platforms
- Package with explanatory cover letter
- Deliver securely within 30 days
Scenario: Request via third party (e.g., lawyer)
- Require written authorization from account holder
- Verify authorization is genuine
- Confirm identity of both parties
- Proceed as normal once verified
Scenario: Excessive or repeated requests
- First request — Process normally (free)
- Same data, short timeframe — May charge reasonable fee or refuse
- Clearly unfounded/excessive — May refuse with explanation
Escalation
Escalate to CIO if:
- Request involves disputed data
- Member claims data is inaccurate
- Legal representative is involved
- Request overlaps with ongoing investigation
Documentation
Record in support system:
- Request received date
- Verification method
- Data sources checked
- Response sent date
- Delivery confirmation