A data subject always has the right to access their PII data and have it updated, if the data subject finds it incorrect.
To streamline this process (also known as a Subject Access Request or SAR) and not make it a burden on your organization, you should automate as much of this as possible and let the data subject self be able to do this on your website. You should also have a process in place for the event where the data subject emails or calls your company and asks for their PII data.
The data subject also has the right to receive their PII data in some data format that lets them move their data from one data controller to another. This is called the right to data portability. GDPR does not state which format this has to be in, but generally try to keep it simple and in some widely-used format such as CSV.
Last updated: Jun 19, 2018