EU-GDPR – Procedure for Responding to Personal Data Requests

EU-GDPR – Procedure for Responding to Personal Data Requests

1. Purpose and Scope

The purpose of this procedure is to create a written formal process for FORS to respond to an individual’s request concerning his or her Personally Identifiable Information (PII), as defined below.

Under EU-GDPR, individuals have the following rights:

      • Right to Request Access to their PII;
      • Right to Request Amendment of their PII that they have provided to FORS;
      • Right to Request Deletion of their PII;
      • Right to Request Restriction of Processing their PII;
      • Right to Request to Port their PII that they have provided to FORS;
      • Right to Object to Processing of their PII.

Rights with respect to his or her data are bound by the legitimate need for FORS to process data for contractual and other purposes as stated in the FORS Privacy Statement. Thus, certain of the above rights will be limited. More details are provided in each section below.

References are made in this procedure to This is a reporting/help desk line maintained by FORS with a response time of 5 working days.

2. Procedure

2.1       Written Response Required within 30 Days
Upon receiving a request exercising rights described within this procedure FORS, will:

a. respond in writing to the individual within 30 days of receipt of request. Response time can be extended up to 90 days where requests are complex or numerous, and if this is the case, FORS will inform the individual, in writing, within 30 days of the receipt of the request and explain why the extension is necessary.

b. send a ‘written denial letter’ if the request is denied, explaining why the request was denied within the period of time described above.

c. retain copies of requests and written responses made herein.

2.2       Responding to Request to Access PII
Individuals will have access to their PII. FORS shall provide the information below within the time period specified in Section 2.1:

      • Purposes of the processing;
      • The categories of PII concerned;
      • The recipients or categories of recipient to whom the personal data have been or will be disclosed;
      • Where possible, the data retention period;
      • The existence of the right to request correction or erasure of PII or restriction of processing or objection of processing of PII;
      • Right to lodge a complaint;
      • Where the PII is not collected from the individual, any available information as to the source;
      • Existence of any automated decision-making, including profiling.

2.3       Responding to Request to Amend PII
Individuals have the right to amend PII they have provided to FORS. Upon request to amend, FORS shall:

a. Ensure all core systems are updated per employee’s request

b. Notify all downstream providers of the amended or corrected PII. If notification is not possible, then FORS will provide the employee with the contact details of the downstream provider(s) processing or storing their PII.

c. Confirm individual’s request in writing per Section 2.1.

2.4       Responding to Request to Delete PII

a. Individuals have the right to request deletion or “right to be forgotten” when they withdraw consent to processing, the PII they provided to FORS is inaccurate, PII was processed unlawfully or the PII is no longer necessary for the purpose, as specified in the FORS Privacy Statement.

b. All requests to delete must be sent to FORS If the request is approved by FORS, FORS shall:

i. Make the appropriate deletion in each applicable system in which PII resides.
ii. Notify all downstream providers.
iii. Provide a written response to the employee or job applicant in accordance with Section 2.1.

2.5       Responding to Request to Restrict Processing of PII

a. Individuals have the right to request the restriction of processing of PII where one of the following applies:

i. The accuracy of PII is contested by the individual;
ii. The processing is unlawful and the individual opposes the erasure of the PII and requests the restriction of their use instead;
iii. FORS no longer needs the PII for the purposes of the processing, but it is required by the individual for the establishment, exercise or defense of legal      claims;
iv. Objection to processing pending the verification whether the legitimate grounds of AECOM override those of the individual.

b. All requests to restrict processing PII must be sent to If approved, FORS shall:

i. Restrict processing of the PII in each core system in which individual PII resides.
ii. Notify downstream providers directly to temporarily securely or move the restricted PII to another processing system making it unavailable to users.

c. Where processing has been restricted, such PII shall, with the exception of storage, only be processed with the individual’s consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest.

d. The individual who has obtained restriction of processing shall be informed by FORS before the restriction of processing is lifted.

2.6       Responding to Request to Port PII

a. Individuals have the right to receive his or her PII which he or she has provided to FORS, in a structured, commonly used and machine-readable format and the right to transmit that PII to a controller, as identified and requested by the individual.

b. All requests to port PII must be sent to for prior approval. If approved, FORS shall:
i. Identify each core system in which employee PII resides.
ii. Consult FORS IT Team for guidance on appropriate security for porting the data.

c. Where technically feasible and subject to implementation of the necessary security measures, PII shall be securely electronically transmitted to the designated controller, otherwise the PII shall be downloaded in a secured electronic format for the individual.

2.7       Responding to Request to Objection of Process of PII

a. Individuals have the right to object to processing where their PII has been processed, including the profiling, and based on the following:
i. PII processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in FORS;
ii. PII processing is necessary for the purposes of the legitimate interests pursued by AECOM or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the individual which require protection of personal data;
iii. Direct marketing.

b. All requests to object to process PII must be immediately sent to

FORS will determine if it can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the individual or for the establishment, exercise or defense of legal claims.

c. If FORS is unable to confirm legitimate grounds for processing the information, then FORS will:
i. Stop processing the objected PII.
ii. Update all core systems to prevent processing the PII.

3. Terms and Definitions

Personally Identifiable Information (PII)

Means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

4. References

a. FORS Privacy Statement

b. European-Union General Data Protection Regulation (EU-GDPR) Chapter 3