GDPR Fundamentals: Data Subject Rights
GPDR is such a revolutionary law because its focus is so heavily on the data subjects and protects personal data not only in the shape of security, but also in privacy. The law actually gives data subjects seven rights, outlines in Chapter 3. These seven rights of data subjects ensure transparency between data subjects and those organizations that are processing their personal data and include:
- Right to access
- Right to rectification
- Right to erasure
- Right to restriction
- Right to data portability
- Right to object
- Right in relation to automated decision-making
There are conditions and exceptions to every right, so there’s a lot to learn. Let’s discuss these seven data subject rights and how organizations should respond when a data subject exercises any of those rights.
Right to Access
In Article 15, you’ll find the first data subject right: the right to access. This right gives data subjects the ability to confirm whether or not a controller is processing their personal data. This data subject right also entitles data subjects to obtain the controller’s purposes for processing, categories of the personal data being processed, third parties who receive their personal data, data retention policy, and other information.
Right to Rectification
A key component of GDPR is accuracy. The law requires that controllers and processors maintain the accuracy of personal data, but the data subject right in Article 16 also brings data subjects into this process. The right to rectification gives data subjects the right to dispute the accuracy of their personal data being processed by controllers. Data subjects can request that inaccurate data be corrected, which could require supplementary information to ensure accuracy.
Right to Erasure
The right to erasure, or the right to be forgotten, gives data subjects the right to have a controller delete their personal data. This isn’t an absolute right; just because a data subjects asks that their data be deleted doesn’t mean that a controller has to delete that data. There are five circumstances in which a controller might delete personal data, including:
- If the data was processed unlawfully
- If the organization no longer needs the data for the purposes that it originally collected the data
- If there is a legal requirement to delete the data
- If a data subject gave access to their data based on consent and they have withdrawn that consent
- If a data subject has objected to the processing of their data and requested that their data be deleted
The right to erasure is tricky, though. If even one of those five conditions exist for deleting personal data, a controller may still have a reason to maintain that data. For example, if there is a requirement from the EU to maintain that data, if there is litigation regarding that data, or if a controller needs to maintain that data for historic or scientific purposes, then a controller may not have to delete that data. So, a controller must first determine if a valid ground exists to delete the data, and determine whether there is an exception.
Right to Restriction
Article 18 outlines a fourth data subject right, the right to restrict processing. Why would a data subject exercise their right to restriction? They may be challenging the controller’s accuracy of their personal data, challenging the lawfulness of the processing activities, or challenging if the controller needs the data for the original purpose.
Restriction may be achieved one of several ways: it can be deleted, restricted, sequestered, or suppressed. If a controller grants a request for restriction, not only does the controller have to restrict the processing, but it should also notify processors and other third parties that a restriction request has been granted.
Right to Data Portability
Data subjects have the right to data portability, meaning that they can obtain their personal data from a controller in a structured, commonly used format, and have the right to transmit that data to another controller without hindrance. There are three conditions that have to be met for a valid portability request, including:
- The data subject directly gave their personal data to a controller
- The legal basis for processing is consent or performance of a contract
- The controller is using automated means to process the personal data
If all three of these conditions are met, then a controller must provide either the data subject or the data subject’s request for another controller with a copy of their personal data in a commonly used format.
Right to Object
Data subjects have the right to object to processing activities. Data subjects may object to any processing of their personal data by a controller if that processing is based on legitimate interest and there are not any overriding reasons to reject the data subject’s request for objection.
Right in Relation to Automated Decision-Making
The final data subject right given by GDPR is the right to object to automated decision-making, including profiling. Data subjects may request human intervention in cases when a controller uses automated processes to make a significant or legal decision, but controllers can reject these requests based on certain conditions. If the objection to automated decision-making is granted, the controller must suppress or restrict the personal data that was used in the automated process.
Responding to Data Subject Rights
When a data subject exercises any of their rights under GDPR, controllers have one month to respond to the request. They can either grant that request or respond by giving the reason for denial. Controllers cannot charge data subjects for exercising their rights unless they find that the request is unfounded or excessive. Controllers should always ensure that they are documenting names, dates, the nature of requests, investigations, and responses to data subjects’ requests so that, at any time, they can demonstrate proof that it was properly received and responded to.
More GDPR Resources
GDPR Readiness: Are You a Data Controller or Data Processor?
What is GDPR Personal Data and Who is a GDPR Data Subject?
The Cost GDPR Non-Compliance: Fines Penalties
[av_toggle_container initial=’1′ mode=’accordion’ sort=” styling=” colors=” font_color=” background_color=” border_color=” custom_class=”]
[av_toggle title=’Video Transcript’ tags=”]
GDPR presents personal data not only in the form of security, but also in the form of privacy. Specifically, GDPR gives data subjects certain rights. We’re going to talk about seven of those rights; both the nature of the rights and the processes that organizations should use to respond to data subjects requesting to exercise one of those rights.
First, the right to access. This right gives data subjects the ability to confirm whether an organization is processing their personal data. It gives data subjects the ability to receive a copy of their personal data and it gives data subjects the right to certain information on processing activities, including the nature of the processing activities, the purposes, third parties who receive their personal data, data retention policies, and other information.
The second right is the right to rectification. This gives data subjects the right to contest the accuracy of their personal data being processed by an organization. One of the processing principles of GDPR is accuracy. The law not only requires organizations to maintain accuracy on their own, but it also allows data subjects to be involved in that process. Data subjects can request that inaccurate data be collected, and data subjects can also provide controllers with supplementary information to ensure that incomplete data is brought to completion or brought to currency.
The third right is the right to erasure. This right is also known as the right to be forgotten and gives data subjects the right to have an organization to delete, in total or in partial, their personal data. This right is not a complete and absolute right, which means that just because a data subjects asks that their data be deleted, doesn’t mean that an organization must delete that data. There are five circumstances in which an organization might delete personal data. 1) If the data was processed unlawfully; 2) If the organization no longer needs the data for the purposes that it originally collected the data; 3) If there is a legal requirement from the EU to delete data; 4) A data subject gave their personal data based on consent and they have withdrawn that consent and requested that their data be deleted; 5) A data subject has objected to the processing of their data and requested that their data be deleted.
However, even if one of those five grounds exist for deleting personal data, an organization still might have reasons to maintain that personal data. One of those reasons is that if there is an EU requirement to maintain that personal data. Another ground is if there is litigation or legal defense regarding that personal data. A third and final reason is if an organization needs to maintain that data for historic or scientific purposes. So, for the right to erasure, an organization must first determine whether or not a valid ground exists to delete the data. Secondly, an organization must determine whether or not there is an exception to the requirement to delete that data.
A fourth right given to data subjects by GDPR is the right to restriction. There are four reasons for an organization to grant a request for restriction. First, if a data subject is challenging the accuracy of their personal data, an organization may also restrict processing that personal data until the issue regarding the accuracy is resolved. Second, if the organization no longer needs the personal data for the original purpose, but they do need that personal data to maintain a legal defense, then they can restrict processing with the exception of using that data for litigation purposes. Third, if the data subject is challenging the lawfulness of the processing, then the organization may restrict the processing until the issue of lawfulness is resolved. Fourth, if a data subject has objected to data processing, the organization may restrict processing until the objection for processing is resolved.
Restriction may be achieved one of several ways: it can be deleted, it can be restricted, sequestered, or suppressed.
As with the other data subject rights, if an organization grants a request for restriction, not only does the organization have to restrict the processing of personal data itself, but it should also notify processors and other third parties who receive the personal data that a restriction request has been granted.
Once an organization has reviewed a request for restriction and determines that it has a valid basis for processing the data, the organization may lift the restriction. Before it does so, it must notify the data subject in writing prior to lifting the request for restriction. There are several grounds for which an organization may lift that restriction: if it determines that that data is accurate, if it determines that it has a lawful basis for processing, if it determines that the objection request is not valid, or if it determines that it does need the data for the original purpose that it was collected.
There are four additional grounds that give an organization the ability to lift a restriction: if the data subject gives consent, if there’s a need to maintain a legal defense, if there’s a need to protect a third party, or if there’s important public grounds for the EU or a member state. It should be noted that data storage processing activities are not subject to restriction request.
A fifth right that GDPR gives data subjects is the right to data portability. There are three conditions that have to be met for a valid portability request: the data subject has to have directly given their personal data to an organization, the legal basis for processing has to be consent or performance of a contract, and the organization has to be using automated means to process the personal data. “Automated” implies anything that’s not paper. If all three of those conditions are met, then an organization must provide either the data subject or the data subject’s request for another controller with a copy of their personal data in a commonly used format. Examples of commonly used formats include: XML, CSV, and JSON.
A sixth right that GDPR gives data subjects is the right to object to processing activities. This right is broken down into both the right to object and the right to object to automated decision-making. First, we’ll talk about the right to object generally. Data subjects may object to any processing of their personal data by an organization if that processing is based on legitimate interest and there are not any overriding reasons to reject the data subject’s request for objection. The easiest right to handle of all is the right to handle the objection to direct marketing. In this case, there are no objections and there are no exceptions. If a controller receives an objection to direct marketing, the controller must – as soon as practically possible and within the required time frame – cease marketing to that data subject. Again, there are no conditions and there are no exceptions.
The final right is the right in relation to automated decision-making, including profiling. GDPR gives data subjects the right to object to automated decision-making and requests for human intervention in cases where an organization uses automated processes to make a significant or legal decision, such as employment or the extension of a loan. In those cases, a data subject can request a human be involved in the decision-making process. Organizations can reject requests for human intervention on automated decision-making if the data subject gave consent for such automated decision-making, if that automated decision-making is based on the performance of a contract, or if there is an EU legal requirement or mandate that gives the organization the ability to process the data automatically. If the objection to automated decision-making is granted, the organization must suppress or restrict the personal data that was used in the automated decision.
Now that we’ve talked about some of the rights that GDPR gives to data subjects, let’s talk about the process of responding to these rights. First, timeframes. Controllers have one month to respond to a data subjects request – either to grant that request or to respond in writing giving the reason for denial. GDPR does give organizations a one-time two-month extension. If organizations are going to use that extension, they must respond to a data subject within one month in writing, giving the data subject the reason for the delay. Additionally, organizations may not charge data subjects for exercising their rights under GDPR unless an organization determines that the request is either unfounded or excessive. In that case, an organization may either deny the request or charge only the administrative costs for responding to such requests. Organizations should ensure that they are documenting names, dates, the nature of requests, investigations, and responses to such requests so that if a data subject challenges their timeliness or a supervisory authority investigates a data subject’s request, an organization can demonstrate proof that it’s properly received and responded to such data subject requests.
[/av_toggle]
[/av_toggle_container]