Right of access

Anyone who can reasonably believe you are holding their data has a right to raise a subject access request. This can be:

  • Confirmation that you hold their data
  • Access to all their personal data you hold
  • Other questions related to gathering, storage, and processing of their data (these should be included in your privacy policy)

You might be asking what information should be included when you provide the requested data. Exponea makes this very straightforward. All the personal information can be easily downloaded to a .json file as explained below.

Your customers should receive their data in an intelligible and easily accessible form. The line between what is considered intelligible and what is not is, however, not entirely clear. It is, therefore, good practice to convert the .json file into a more accessible format. For this purpose, you can either use software for automatic conversion or you can convert it manually.

Downloading data

If you need to download customer’s data you have to options on how to do it. Firstly, you can do it directly in their customer profile.

Secondly, you can do it through API. You can either export data of a single customer, all your customers or just events of selected customers.

Changing circumstances

It is very likely that personal data will change between the time a customer makes a request and you complying with it. The data will probably change in these two ways:

Amendment
The customer usually continues their activity on your website even after making the request. New customer data will, therefore, be added and some will be rewritten.

Deletion
You have had probably set specific retention periods for your events. This means that some of the customer's data will be deleted.

You might be asking then which version of the data are you supposed to provide. The answer is that you should send to customer the most up-to-date version of their data at the time of complying with their request. It is completely fine that the data changed since the time of the request. However, all of these changes must only be the natural ones which would have happened regardless of whether the request was made. Making intentional adjustments to the data with the purpose of hiding it from the customer would be considered a breach of GDPR.

Right of access


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.