GDPR: Data Subject Requests (DSRs)

As controller, the GDPR requires you to be able to:

• Give data subjects a copy of their personal data, together with an explanation of the categories of their data that are being processed, the purposes of that processing, and the categories of third parties to whom their data may be disclosed.
• Help every individual exercise their right to correct inaccurate personal data, erase data or restrict its processing, receive their data in a readable form, and where applicable, fulfill a request to transmit their data to another controller.

We must implement the appropriate technical and organizational measures to assist you in responding to requests from data subjects exercising their rights as discussed above.

You can find a series of GDPR-related articles here. Produced by Microsoft, they provide recommended approaches for on-premises workload for SharePoint Server, Exchange Server, Skype for Business Server, Project Server, Office Web Apps Server, Office Online Server, and on-premises file shares.

Online Services offer a host of capabilities to enable you, as a controller, to respond to a data subject’s request. Microsoft enterprise online services and administrative controls help you act on personal data responsive to data subject rights requests, allowing you to discover, access, rectify, restrict, delete, and export personal data that resides in the controller-managed data stored in Microsoft’s cloud. Online Services also provide data in machine-readable form should you need it.

The DSR documentation provides more information about how specific Microsoft online services enable you to handle data subject requests, including general instructions on how to execute a DSR.