All modern data privacy statutes allow individuals the ability to request that organizations take certain actions in relation to their personal information. Organizations are not always required to take the actions requested, however, and often exercise discretion in terms of how to handle a data subject request. For example, if an individual asks an organization to correct information that they claim is inaccurate, an organization may decide that the information held in their possession is, in fact, accurate and either refuse the request or annotate the individual’s file to record the fact that the individual has raised a question regarding the accuracy of the personal information. Some modern data privacy statutes require that when an organization rejects a data subject request it provide individuals with a means of “appealing” the decision.
Click here for a breakdown of which state statutes require a system for appeals. |