Revealu Business now available!

After months of testing and development we are happy to announce that Revealu Business is now generally available! So, what is included in Revealu Business and how did it come around?

We began coining with the idea after our win at the Global Legal Hackathon. We thought that with the steady increase in the number of Data Subject requests every year there must be a tool available that makes it easy to administer them all. Therefore, we spent the summer of 2018 talking with companies in different sectors, trying to understand how they handle requests now and what their plans are for the future.

Our Personal tool also helped us understand that only a fraction of businesses are actually capable of answering requests on time, as our data shows that only about 30% managed to do so within the legal timeframe.

Revealu Business helps companies answer requests, manage internal workflows and comply with the regulation. It makes it extremely simple for businesses to create a Customer Portal, where their customers can easily send requests. The Portal can be customized, white-labeled and can reduce administrative overhead with automatic e-mail and phone number validation. 

Companies can communicate with the data subjects securely via the Revealu Messenger. Revealu Business clients can rest assured that all messages and files  uploaded to Revealu are encrypted via secure keys. 

A good workflow is essential to answering requests on time, therefore Revealu Business includes a comprehensive task manager, where stakeholders can collaborate on collecting the necessary data to answer a request. Revealu Business will also send notifications and reminders, so no deadline will be missed. 

As most companies already have some kind of records about previous requests, we have made the Import functionality as simple as possible, so businesses can easily move into Revealu’s new, secure, online interface for handling requests.

We are really proud of our new service and invite you to give it a try! You can sign up in a couple of minutes and take a tour of the software with a 14 day free trial. 

Click here to start your free trial!

In the next months we will be working hard on adding new features such as data visualization and a complete API so companies can fully automate the answer process. Stay tuned for more. 

Denied data subject access request: first GDPR fine in Hungary

Denied data subject access request: first GDPR fine in Hungary

The Hungarian National Authority for Data Protection and Freedom of Information (the ‘NAIH’) recently issued a decision dealing with breaches of data protection rules set by the European General Data Protection Regulation (the ‘GDPR’), namely Article 15 of the GDPR on the right of access of the individual.

For the first time since the effectivity of the new regulation, the Authority also imposed a fine on the data controller, amounting to 1,000,000 HUF (approx. EUR 3,100).

The facts

An individual visited the data controller’s office in person and asked to inspect certain documents related to a dispute. The company refused the request, and the individual requested a copy of relevant CCTV recordings as evidence in the litigation regarding its claim. The company refused the request, arguing that the recordings did not support the individual’s claims, but only proved that he was present in a given place at a given time, as the cameras did not record sound. As it turned out, the company even deleted the recording afterwards. The individual then turned to the Authority and launched a data protection proceeding against the infringing company.

The decision

After reviewing this case, NAIH found that the company infringed the individual’s right of access, and set forth the following principled regarding access requests:

  1. the data controller cannot request any justification from an individual making a data request;
  2. the data controller is not in a position to determine whether the required data would be necessary for the individual’s litigation purposes.
The fine that was imposed by the Hungarian supervisory authority represents 6.5 % of the data processor’s annual net sales revenue. The NAIH considered the following circumstances when determining the amount of the fine:
  1. the nature of the breach;
  2. the fact that the deleted recordings could not be recovered;
  3. the fact that this was the company’s first infringement under the GDPR;
  4. the net sales revenue of the company in the preceding year was HUF 15.3
    million (EUR 48,000).

The bottom line

A key takeaway from this new decision is that companies in Hungary and around Europe should update their procedures and policies regarding SARs (Subject Access Requests). The supervisory authorities around Europe are ramping up their actions against companies infringing the rights of individuals, as evidenced by the recent decision of the Information Commissioners Office.

Take action now with our Business solution, which makes it super simple to handle subject access requests at scale, while also showcasing transparency and trust to your clients!

The majority of business are failing to comply with GDPR

According to a survey conducted by California based company Talend, 70% of companies surveyed couldn’t fulfill data access and portability requests within the GDPR-specified one-month time limit.

The research was based on personal data requests made to 103 companies based or operating in Europe across industries including retail, media, technology, public sector, finance, and travel. Conducted between June 1 and September 3, 2018, Talend assessed responses to GDPR Article 15 (“Right of access by the data subject”) and Article 20 (“Right to data portability”) requests, monitoring areas including GDPR references in privacy policies, and the speed and completeness of responses.

How to answer a GDPR data subject request in 6 steps

So you have just received an e-mail with the title “Delete all my data!”, or “Send me everything you know about me!”. After the initial shock, you will have to soon realise, that what you are now faced with is most probably a data subject request under the framework of the new General Data Protection Regulation.

The EU’s new Regulation, which has an enormous scope of applicability and tons of new obligations for data controllers, gives the data subjects extraordinary new rights, that allow them to exercise new rights that are quite timely in today’s digital age. So let’s see what you should do when you receive such an e-mail!