Data Access Requests
Handling GDPR Article 15 subject access requests.
What is a Data Access Request?
Under GDPR, individuals have the right to:
- Obtain confirmation that their data is being processed
- Access their personal data
- Receive information about how their data is used
Request Handling Checklist
Step 1: Verify Identity
- Confirm requester's identity matches account holder
- Request ID verification if submitting via email (not logged in)
- Check email matches registered account email
- Document verification method used
Step 2: Acknowledge Receipt
| Action | Timeline |
|---|---|
| Send acknowledgment email | Within 48 hours |
| State expected completion date | Within 30 days of verified request |
| Provide reference number | Immediately |
Template acknowledgment:
"We have received your data access request dated [DATE]. Your request reference is [REF]. We will respond within 30 days as required by GDPR. If we need additional information to verify your identity, we will contact you."
Step 3: Gather Data
Collect data from all sources:
| System | Data Types |
|---|---|
| Corsair Connect | Profile, transactions, commissions, wallet history |
| CSRnow | CSR holdings, retirement records, Hall of Fame entries |
| Support | Ticket history, communications |
| KYC/KYB | Verification documents, approval records |
Step 4: Prepare Response
The response must include:
| Category | Information to Provide |
|---|---|
| Purposes | Why data is processed |
| Categories | Types of personal data held |
| Recipients | Who data has been shared with |
| Retention | How long data will be stored |
| Rights | Their rights to rectification, erasure, restriction |
| Source | Where data was obtained (if not from them) |
| Automated decisions | Any profiling or automated decision-making |
Step 5: Deliver Response
| Delivery Method | When to Use |
|---|---|
| Secure portal download | Preferred method |
| Encrypted email | If portal not available |
| Registered mail | If specifically requested |
Response Timeline
| Stage | Deadline |
|---|---|
| Acknowledgment | 48 hours |
| Initial response | 30 days |
| Extension (complex requests) | +60 days with notification |
Extension only permitted when:
- Request is complex
- Multiple requests received from same individual
- Member notified within original 30 days with reasons for extension
Data Format
Provide data in:
- Structured format (CSV, JSON) for portability
- Readable summary (PDF) explaining what the data means
- Original documents (KYC images) if specifically requested
Common Scenarios
Scenario: Member wants all their data
- Verify identity
- Export from all platforms
- Package with explanatory cover letter
- Deliver securely within 30 days
Scenario: Request via third party (e.g., lawyer)
- Require written authorization from account holder
- Verify authorization is genuine
- Confirm identity of both parties
- Proceed as normal once verified
Scenario: Excessive or repeated requests
| Situation | Response |
|---|---|
| First request | Process normally (free) |
| Same data, short timeframe | May charge reasonable fee or refuse |
| Clearly unfounded/excessive | May refuse with explanation |
Escalation
Escalate to CIO if:
- Request involves disputed data
- Member claims data is inaccurate
- Legal representative is involved
- Request overlaps with ongoing investigation
Documentation
Record in support system:
- Request received date
- Verification method
- Data sources checked
- Response sent date
- Delivery confirmation