Data protective jurisdictions tend to guarantee the right of individuals to contact an organization directly and find out whether personal data is being tracked. Access procedures and acceptable exceptions (such as business secrecy) are determined by law and may be subject to the control of data protection authorities. In the context of HR, personal data access requests can include information tracked by the company as well as data tracked by third-party solutions, such as background check vendors.
In India, under the Information Technology Rules, 2011 on Reasonable Security Practices and Procedures and Sensitive Personal Data or Information (“Privacy Rules”), employers (and other data controllers) must allow data subjects to review, correct and amend their sensitive personal data or information (SPDI). In addition, if SPDI is being processed, individuals retain the right to withdraw consent at any time.
That said, note that if the parties agree on what constitutes reasonable security practices/procedures, the parties can agree to exclude the applicability of the Privacy Rules, including the applicability of rights granted to the data subject.
