If a person contacts a researcher or the university with a request about the processing of their data, a response must be provided within 30 days.
- The request must be documented. The University of Tartu, as the data controller, has a document management system as its main documentation tool, where the recipient must upload the request. Based on the documentation, a deadline for the response can be set, which makes it possible to check whether each request has been replied to. Other documentation systems may be used to help the university keep track of incoming requests and respond to them, but the request must still be registered in the document management system.
- The data subject must be identified. As personal data must not be disclosed to third parties, it must be established that the person who made the request is indeed the data subject whose data the request concerns. To identify the requester, the person must send a digitally signed request before the data can be provided.
- Before responding, the feasibility of responding to the request must be established. The request must be based on a right of the data subject (see 9). For example, if an overview of the personal data being processed in the research is requested, it must be provided to the person filing the request. Some of these rights – such as the right to object – only apply in specific cases, for which assistance can be sought from the data protection specialist. If the request includes a request for deletion of the data, the feasibility of the request must also consider the possibility that the personal data may be contained in back-ups, from where they may be difficult to delete.
The most complex request concerns the right of access to one’s data. The university must comply with reasonable requests, i.e. no data subject’s right is absolute. If it is not feasible to respond to a request, the reason for this must be explained (see also 2.9.2).
Regardless of whether it is feasible or not to respond to the data subject’s request, the data subject must in any case be given a response within the time limit. There is no standard reply form or procedure, so the form of the reply will mostly depend on the question.
If you receive a request from a data subject, it is advisable to consult the senior specialist for data protection by email at andmekaitse@ut.ee.