Privacy 

The joint DPO is the contact point for joint controllers with regard to receiving requests from the DSs – see contacts above.

The request from the DS shall at least:

– Contain data of the DS making the request, including his or her contact details.

– Describe what the DS is seeking with his or her request, such as: the provision of information on the processing of his or her PD; exercising one of the rights of the DS in the area of PD protection; the time limit by which the DS asks to handle his or her request (if this data is missing the request will be processed as urgent, i.e. without undue delay); any other DS’s requirements.

– Identify the joint controller concerned or information that the request is addressed to all joint controllers.

– Specify the scope of the PD which is the subject-matter of the request or information that the request concerns all PD that the joint controllers concerned process in connection with the given DS.

If the request does not contain the above details, the joint DPO shall contact the DS who submitted the request in an attempt to find out these details so that the request can be handled meaningfully. This does not apply if the request does not contain the contact details of the DS who submitted the request – in that case, the joint DPO shall record that the request was evaluated as incomplete and it was not possible to eliminate its shortcomings after which the request shall be postponed.

The DS may make a request in any manner, but typically by email to the joint DPO’s contact address. However, there is no prescribed form for making the request, therefore it cannot be postponed or rejected due to its insufficient form.

In order to allow the DS to make the request informally, i.e. especially in his or her own words, there is no need to make the request on any prescribed form.

With the making of the request to the joint DPO, time limits for handling the request, if they are established, begin to pass.

The joint DPO shall handle the request that was properly made in one of the following ways:

– Comply with the request; or

– Comply with the request in part; or

– Reject the request (dismiss the request).

If the joint DPO complies with the request, he or she ensures that the DS’s requirements are met in such a way as to achieve the status requested by the DS. This may include, for example, the arrangements for the processing, amendment of organisational or other measures or erasure of the PD concerning the DS – once the measures are taken, the DPO shall inform, without delay, the DS of measures taken, or specify in the statement, the deadline by with the desired status will be achieved.

Where the joint DPO shall comply with the request only in part, the joint DPO shall inform the DS in which part the request was complied with and in which part the request was rejected, justifying his or her decision. In the part that the joint DPO has upheld the request, he or she shall follow the procedure above.

Where the request has been rejected by the joint DPO, the DS who has made the request shall be informed thereof. The notice of the rejection shall be properly justified.

Requests have to be handled in accordance with relevant legal regulations. Any information/notice of handling the request shall also include instructions to the DS on the possibility of lodging a complaint with a supervisory authority (Personal Data Protection Authority).