Data Subject Rights
As per GDPR Articles 12 to 23, individuals have specific rights concerning their personal data. Organizations must understand and meet these rights when individuals seek to exercise them.
- Right of access: Individuals have the right to ask the controller to confirm if their data is being used and to request access to their personal information.
- Right to rectification: Individuals have the right to make sure their personal data is accurate and up to date. They can ask for corrections or updates when needed.
- Right to erasure or be forgotten: Individuals have the right to request the deletion of their personal data from the controller's records without delay.
- Right to object and restriction of processing: Individuals have the right to say no to their data being used and can ask for limits on how it's used if they want.
- Right to data portability: Individuals have the right to receive their information in a structured, machine-readable format or to have their data transferred to another organization, if feasible.
- Right to be informed: Individuals have the right to know why and how their personal data is being used. They also have the right to know if their data is being shared with others. This is done by following the right legal rules for using data. If consent is needed, it's important to get it right.
- Right to be notified: In the event of a data breach, individuals must be notified within 72 hours of the controller becoming aware of the breach.
To enable data subject rights, the initial step is to activate GDPR compliance in your account. This regulatory framework ensures the protection of personal data and grants individuals rights over their data. To initiate this process, follow the steps mentioned in this help document on managing compliance. Once GDPR compliance is successfully enabled, a new feature becomes accessible within the contact's detail page, known as Data Privacy.
Upon accessing the Data Privacy section, you will have a set of options designed to facilitate data subject rights.
To add a data subject's request to your account, go to any Contact > Data Privacy > Data Subject Requests > + Request button. You can gather requests via email, through a call, or face-to-face.
Request to access data (Right to access)
With the consent forms created, you can send emails in CSV format when data subjects request access to their information.
To send an email with the data subject's information:
- Open the user's record and click Data Privacy.
- Under the Data Subject Requests section, click + Request.
- In the New Request pop-up, select Request to access data.
- Click Save, and the request will be added to the record.
- Click Send email for the request to access data.
- In the email composer, compose an email or select the email template with which you want to send the email, and send the email.
You can view the email sent from the related list tab. You can also download the CSV file that you send from here.
You can close the request created once you are done. To close the request, click on Close Request. You can create a new request only after you close the existing request.
If you have sent the request by mistake, or if you need to revert the request, you can delete the request. Remember, you cannot delete the request once you close the request. To delete the request, click on Delete Request.
Request to rectify data (Right to rectify)
You can send an email with a CSV file containing the data subject's information. They can then correct the information in the CSV file and send it back to you. Afterward, you can import it into your account to update the information.
To send an email to rectify the data subject's data:
- Open the user's record and click Data Privacy.
- Under the Data Subject Requests section, click + Request.
- In the New Request pop-up, select Request to rectify data.
- Click Save, and the request will be added to the record.
- Click Send email for the request to rectify data.
- In the email composer, select the email template with which you want to send the email, and send the email.
Similar to request access data, you can view the email sent from the related list tab. You can also download the CSV file that you send from here. You can also close the request and delete the request.
Request to export data (Right to portability)
You can export data subject information in a machine-readable CSV format, attach it to an email, and send it, all without downloading it onto the Controller's device.
To send a copy of the data subject's data:
- Open the user's record and click Data Privacy.
- Under the Data Subject Requests section, click + Request.
- In the New Request pop-up, select Request to export data.
- Click Save, and the request will be added to the record.
- Click Send email for the request to export data.
- In the email composer, select the email template with which you want to send the email, and send the email.
Similar to request access data, you can view the email sent from the related list tab. You can also download the CSV file that you send from here. You can close the request and delete the request, too.
Request to stop processing data (Right to stop processing)
Once they exercise this right, you can halt the processing of the data subject's information in Bigin. You can also lock the data subject's information, halting any further processing. When a record is locked, all its details are also restricted from further use or processing within Bigin. For example, you cannot send emails, edit the record, make calls, and so on.
To lock the record:
- Open the user's record and click Data Privacy.
- Under the Data Subject Requests section, click + Request.
- In the New Request pop-up, select Request to stop processing data.
- Click Save, and the request will be added to the record.
- Click Lock for the Request to stop processing data.
- The record will be locked, and you cannot perform any actions for the record, as mentioned earlier.
- You can unlock the record when a contact requests you to do so. To unlock the record, click Unlock. Once it is unlocked, you can edit the records, make calls, and send emails.
Request to delete data (Right to be forgotten)
Once requested, the data subject's information can be locked in Bigin for the retention period set in the Data Controller's terms of service. During this time, the data won't be processed. Afterward, the controller can choose to delete the data subject's info. When deleted, the email address will be added to a block list, stopping re-entry through import or synchronization.
Note:
- You need valid permission to put a record on the block list.
- When a record is on the block list, all records with the same email address are deleted.
To lock and block-list the record:
- Open the user's record and click Data Privacy.
- Under the Data Subject Requests section, click + Request.
- In the New Request pop-up, select Request to delete data.
- Click Save, and the request will be added to the record.
- Click Lock for the Request to stop processing data.
- Click the Move to block list button to remove it from your account.
- In the Blocklist Record pop-up, select Move to block list; the record will be removed, and the email address will be added to the block list.
- Nonetheless, you can manually add a record with the same email address if needed; you will be warned with a notification.
Lawful basis of data processing
GDPR defines six lawful basis for processing personal data. To activate Data Processing Basis, go to Contacts > Any record > Data Privacy > Data Processing Basis > Enable > Choose the Data Processing Basis.
You can edit your basis any time you want by just clicking on the Edit button.
Here are each of them in detail.
- Legitimate interests: Processing personal data is allowed when it's needed for the controller's or a third party's legitimate interests, unless it goes against the rights and freedoms of the individual.
- Example: An organization may process customer data for direct marketing purposes if it can demonstrate a legitimate interest, such as promoting relevant products or services to existing customers. Similarly, employers may process employee personal data for administrative purposes, such as payroll processing or performance management, as long as it's done in a way that respects the rights and freedoms of the employees.
- Contract: Personal data can be processed if it's necessary for fulfilling a contract with the individual or for taking steps at their request before entering into a contract.
- Example: When someone purchases a product online, their personal data, such as name, address, and payment information are necessary for the organization to fulfill the order.
- Legal obligation: Processing personal data when it's required to comply with the law.
- Example: Businesses may need to process personal data for tax purposes or to comply with employment laws, such as providing employee salary details to tax authorities.
- Vital interests: Personal data can be processed when it's necessary to protect someone's life.
- Example: During a medical emergency, healthcare providers may need to access and process a patient's medical records to provide life-saving treatment.
- Public interests: Processing personal data is permitted when it's in the public interest or for official functions performed by public authorities.
- Example: Government agencies may collect and process personal data for statistical purposes, public health surveillance, or national security.
Note:
- For the above-mentioned data processing basis, you can add Consent remarks, if required.
- Consent: This is when individuals give clear permission for their personal data to be used for specific purposes. It requires an affirmative action from the individual, such as ticking a box or signing a form.
- Example: If a user subscribes to a newsletter by providing their email address and ticking a consent box, they are allowing the organization to send them marketing emails.
Ways to get consent
In Bigin, there are two ways to obtain consent from data subjects.
- Consent Form: In Bigin, you can personalize consent forms with fields for communication preferences and consent statements. To create a consent statement, go to Settings > User and Controls > Compliance > Consent Form > Customize > Consent Statement.
These forms can be shared via email templates, allowing you to request consent from individuals. Additionally, you have the option to send individual emails from a record or send mass emails to a list of records. - Manual Update: If you obtain consent during a phone call or face-to-face meeting, you can manually update the consent status in the Data Privacy section of a record.
Stages in consent management
Based on the customer response, the status of the consent request is processed; the stages involved here are as mentioned below.
- Pending: When a consent request hasn't been sent to data subjects.
- Waiting: After sending the consent form, while awaiting a response.
- Obtained: When consent is received from the data subject.
- Not responded: When consent isn't received within the defined waiting period in Consent Settings.
Zoho CRM Training Programs
Learn how to use the best tools for sales force automation and better customer engagement from Zoho's implementation specialists.
Zoho DataPrep Personalized Demo
If you'd like a personalized walk-through of our data preparation tool, please request a demo and we'll be happy to show you how to get the best out of Zoho DataPrep.
- Zoho Workerly Home
- Forums
- Connect With Us:
- Zoho Recruit Home
- Forums
- Connect With Us:
New to Zoho CRM Plus?
Deliver unforgettable customer experiences
New to Zoho CRM Plus?
Deliver unforgettable customer experiences
New to Zoho Marketing Plus?
Everything you need to run your marketing
New to Zoho Marketing Plus?
Everything you need to run your marketing
You are currently viewing the help pages of Qntrl’s earlier version. Click here to view our latest version—Qntrl 3.0's help articles.
New to Zoho Survey?
Zoho Sheet Resources
Zoho Forms Resources
New to Zoho Sign?
Zoho Sign Resources
Sign, Paperless!
New to Zoho TeamInbox?
Zoho TeamInbox Resources
New to Zoho ZeptoMail?
Zoho DataPrep Resources
Design. Discuss. Deliver.
New to Zoho Workerly?
New to Zoho Recruit?
New to Zoho CRM?
New to Zoho Projects?
New to Zoho Sprints?
New to Zoho Assist?
New to Bigin?
Related Articles
Manage your Data
All businesses rely on data, so your administrators need to be able to control how data is managed in Bigin. Import History This section displays a consolidated list of all the data that has been imported to any module in your Bigin account. Import ...Can I set up a recurring data backup for my Bigin account?
Bigin does not have a recurring data backup option yet. However, you can purchase a one-time data backup at $5/unit at frequent intervals. The backup will include the records in a module, related records and the attachments. To download the data ...Stay GDPR compliant with Bigin
What is GDPR? General Data Protection and Regulation defines new set of rules on how to collect and handle personal information of EU citizens. Who does this law apply to? A company, established in EU, that processes personal data of individuals ...Forms: Streamline data collection from your customers
The form builder in Bigin is an excellent tool for real estate businesses to capture a wide range of details from potential customers. Zylker Homes can create custom forms for property enquiries, rental applications, feedback, and more. With ...Data Backup
Using Data Backup, you can back up all the data in your Bigin account, instantly. Once the backup is ready for download, you will receive a pop-up notification and an email. Users with the paid edition of Bigin will have two free backups per month. ...
New to Zoho LandingPage?
Zoho LandingPage Resources