Bulletin 6: Handling Requests From Individuals Under GDPR
IEEE Technical Activities Bulletin #6
Topic: Handling Requests From Individuals Under GDPR
Audience: Individuals responsible for processing personal data
Version 2 - July 2021
What can individuals request under GDPR and other data privacy regulations?
While each regulation is different, generally, under the European Union General Data Privacy Regulation (GDPR) and other data privacy regulations, individuals may make requests regarding their data held by IEEE. Examples of those requests may include:
Copy of Personal Data: Upon request, an individual is allowed to receive a copy of all personal data that IEEE maintains on them. This information must be provided in a structured, commonly used, machine-readable, and interoperable format.
Right to be Forgotten: Upon request, individuals have the right to have their personal data erased and no longer processed by IEEE except in cases where there is a legal reason to retain the data. In addition, individuals will be removed from IEEE mailing lists.
Data Portability: The right for an individual to receive their personal data, which they have previously provided in a 'commonly used and machine readable format' and the ability to transmit that data to another.
How does someone make these requests?
How will I know if a request has been made that affects my Society/Technical Council/Technical Community?
Technical Activities (TA) has set up a process for requests made by individuals either to receive a copy of their personal data or to have their data be erased by IEEE systems.
When IEEE receives a request, the IEEE Data Privacy Officer (DPO) will send the request to the TA Data Privacy specialist, who will email the request and a form to all of the designated contacts for each individual Society, Technical Council, and Technical Community (S/TC/TC), as well as any other TA Staff organizations that hold personal data.
Each individual organization will query their systems to determine if the individual is in any of their databases and respond accordingly to the form provided in the email. Organizations should provide a response within 48 hours. The response process will be clearly defined in the email that goes out to all organizations.
If you are the contact person for your Society/Council or Technical Council, please follow the instructions in the email notification.
MGA manages all membership records (IEEE and Society/Council) as well as other common internal repositories including vTools, SCLE, Google Groups and all listServ lists (including the lists for computer.org and comsoc.org). As such, those data sources are covered. Therefore, you do not need to review those lists.
If all of your customer information is contained only in those locations your responsibilities are complete and you can respond accordingly to the request.
If you hold information in other systems, or it is being maintained by a third-party partner, you will need to review and act accordingly per the instructions provided in the Data Subject Request email.
Who is my S/TC/TC’s GDPR-identified representative?
Staffed Organizations: Societies, Technical Councils, and Technical Communities with IEEE staff have identified a single staff person to process the request.
Non-Staffed Organizations: For Societies or Technical Councils that use third-party management partners, we have agreements for them to do this work. For other S/TCs, the contact will be the President of the Society or Technical Council or their designated volunteer contact person. These contacts are updated annually and verified with the S/TC staff and Presidents.
How can I learn more?
Please share this information with additional volunteers, contractors, temporary employees, interns, and consultants as needed.
If you have questions or need assistance, please contact TA Answer Central.