The Charter of Fundamental Rights of the European Union and the Treaty on the Functioning of the European Union provide that everyone has the right to the protection of personal data concerning him or her. The General Data Protection Regulation (“GDPR”), effective as of May 25, 2018, identifies rights of data subjects in this respect. Organizations that process, as defined below, personal data should know these rights and ensure that effective systems are put in place to give effect to these rights. This overview aims to assist with becoming familiar with the rights and to also know that these rights are not absolute.
Who is a data subject?
Personal data is defined as information relating to an identified or identifiable natural person (‘Data Subject’) in the GDPR. An identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Examples of the online identifiers are internet protocol addresses, cookie identifiers or radio frequency identification tags. Therefore, the principles of data protection should not apply to anonymous information and the GDPR does not concern the processing of information which is no longer identifiable, including for statistical or research purposes. Data subjects (individuals) can be customers, employees or contractors.
Processing is also defined vaguely in the GDPR. Any type of operation which is performed on personal data, whether or not by automated means will be deemed processing. Thus, collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data are processing.
Transparency
According to Recital 39 of the GDPR, any processing of personal data should be lawful and fair. It should be transparent to individuals that personal data about them is collected, used, consulted or otherwise processed as well as extension of such processing. Thus, controllers[1] must provide certain minimum information to the data subjects including information on the identity of the controller and the purposes of the processing in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
Controllers have a legal obligation to give effect to the rights of data subjects unless the controller cannot identify the data subject. Any requested information concerning any of such rights must be provided by a controller without undue delay and in any event within one month of the receipt of the request. This period may be extended by two further months where necessary, considering the complexity and number of requests. Information is provided free of charge unless request is manifestly unfounded or excessive.
The Rights Set out in the GDPR
The controller must make sure that the individuals (data subjects) can exercise their rights to request access, correction, rectification, deletion, restriction and rejections to the controller’s use of personal data, and take their personal data with them (data portability). When a request is made electronically, the controller must provide the answer electronically, unless otherwise requested by the data subject.
Right to be informed: At the time the personal data is obtained from a data subject, a notice must be provided to the individual which include information such as identity and contact details of the controller/controller’s representative, the contact details of the data protection officer, where applicable, the purpose of and the reasons for processing personal data etc. Where information is collected from a third party, the controller has the obligation to notify the data subject about the collection of data unless there exists an exempted situation such as the data subject already has the information.
Right of access: Data subjects have the right to obtain information about the purposes of the data use, categories of data concerned, the recipients or categories of recipients to whom the data has been or will be disclosed, the period for which the data will be stored or the criteria used to determine that period, the existence of individuals’ rights, information about the existence of the right to lodge a complaint with a supervisory authority (DPA-data protection authority), where the data were not collected from the data subject information as to the source of the data, information about the existence of, and an explanation of the logic involved in any automated processing that has a significant effect on data subjects, and confirmation of whether, and where, the controller is processing their personal data. Data subjects may request a copy of the personal data being processed free of charge (first request).
Right of rectification: Data subjects have the right to have inaccurate personal data rectified, and incomplete personal data completed.
Right to erasure: (the “right to be forgotten”) Data subjects have the right to have personal data erased. The right only applies if, for example:
- the personal data is no longer necessary for the controller’s use;
- the controller is relying on consent as lawful basis for holding the data, and the individual withdraws his/her consent;
- the controller is relying on legitimate interests as basis for processing, the individual objects to the processing of his/her data, and there is no overriding legitimate interest to continue this processing;
- the controller has processed the personal data unlawfully.
- The controller does not have to comply with a request for deletion when, for example, personal data use is necessary for exercising the controller’s freedom of expression and information, or the controller needs the personal data for legal claims and court proceedings.
Right to restrict processing: Data subjects has the right to restrict the processing of their personal data if, for example
- the accuracy of the data is contested by the data subject;
- the processing is unlawful and the data subject requests restriction; or
- the controller no longer needs the data for their original purpose, but the data are still required by the controller to establish, exercise or defend legal rights.
Right of data portability: Data subjects have the right to receive a copy of the data and transfer their personal data between controllers. The personal data must be provided in a structured, commonly used and machine-readable format so that individual can transmit the personal data to another controller where the data use is based on consent or on a contract, and is carried out by automated means.
Right to object to processing: Data subjects have the right to object, on grounds relating to their situation, to the processing of personal data, where the basis for that processing is either:
- public interest; or
- legitimate interests of the controller.
The controller must stop such processing unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject; or requires the data to establish, exercise or defend legal rights.
Data subjects may have rights to object to processing for the purposes of direct marketing and right to object to processing for scientific, historical or statistical purposes and the controller must inform data subjects of these rights.
Right to not be evaluated: Based on automated processing Data subjects have the right not to be subject to a decision based solely on automated processing which significantly affect them e.g. automatic refusal of an online credit application, unless such processing is permitted under the GDPR.
Conclusion
As overviewed above, the rights provided to data subjects are extensive but not absolute; there are certain restrictions set forth in the regulation on these rights. In any case, circumstances and conditions to enable these rights should be carefully considered and provided to the data subjects in line with the GDPR. Organizations which are subject to the GDPR are to inform the data subjects about their rights. The information is usually provided in a Privacy Notice or a Privacy Policy/Statement. Concerning actions required to be taken by the GDPR, an individual or a team, where necessary, will need to be designated by the organizations to timely fulfill the requests of data subjects.
[1] A controller is a natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data (why and how the personal data is processed). Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. An organization can be a data controller, or a data processor or both.