Anyone who can reasonably believe you are holding their data has a right to raise a subject access request. This can be:
- Confirmation that you hold their data
- Access to all their personal data you hold
You might be asking what information should be included when you provide the requested data. Exponea makes this very straightforward. All the personal information can be easily downloaded to a .json file as explained below.
Your customers should receive their data in an intelligible and easily accessible form. The line between what is considered intelligible and what is not is, however, not entirely clear. It is, therefore, good practice to convert the .json file into a more accessible format. For this purpose, you can either use software for automatic conversion or you can convert it manually.
If you need to download customer’s data you have to options on how to do it. Firstly, you can do it directly in their customer profile.
It is very likely that personal data will change between the time a customer makes a request and you complying with it. The data will probably change in these two ways:
The customer usually continues their activity on your website even after making the request. New customer data will, therefore, be added and some will be rewritten.
You have had probably set specific retention periods for your events. This means that some of the customer's data will be deleted.
You might be asking then which version of the data are you supposed to provide. The answer is that you should send to customer the most up-to-date version of their data at the time of complying with their request. It is completely fine that the data changed since the time of the request. However, all of these changes must only be the natural ones which would have happened regardless of whether the request was made. Making intentional adjustments to the data with the purpose of hiding it from the customer would be considered a breach of GDPR.