Privacy regulations like GDPR and the emerging CCPA grant individuals, various rights over their own personal information. When individuals exercise these rights, organizations (in GDPR: data controllers), have an obligation to respond to the request within a predefined time frame.
Request Types
Individual rights requests fall under several categories outlined in GDPR and CCPA.
Right | Detail | GDPR | CCPA |
---|---|---|---|
Know* | A report detailing what data is collected, processed, and transferred. | X | X |
Access | Digital machine-readable copy of specific personal data | X | X |
Forget / Delete | Delete personal data | X | X |
Restrict | Limit the use of personal data when data cannot be deleted | X | |
Object** | Prevent the use of personal information | X | X |
Data Transfer | Send personal information to a third party | X | |
Review Automated Decisions | Opt out from automated decisions or profiling | X |
*Only activities involving sale or disclosure, **Only activities involving the sale of personal information
Request Process
Upon receiving a request, an organization must validate the identity of the individual and respond in a timely fashion. When an organization cannot comply within the mandated timeframe, they must issue an extension.
Item | Due Date | Extension Date |
---|---|---|
GDPR | 30 days after receiving | 60 days after the due date |
CCPA | 45 days after receiving | 45 days after the due date |