Following the adoption of the new EU General Data Protection Regulation (GDPR) on 27 April 2016, most organisations began to re-examine their internal processes and procedures in order to ensure compliance with the new requirements before its entry into force in May 2018.
To assist you in this task, we have identified 10 hot topics which should be handled in priority. We propose to present each of these points of attention separately in a newsflash to be published every two weeks, where we will provide you with practical hints to prepare efficiently.
In this issue, we will list the (new) rights and protections granted to the data subjects under the GDPR and discuss how their enforcement may impact your organization.
- Review data processing systems in place and ensure that they enable your company to give effect to data subject’s rights
- Update the communication and information material to ensure that it clearly provides for all necessary information to data subjects (e.g. privacy policies, notices, and clauses)
- Set up internal and external procedures / protocols for handling requests of data subjects and create a dedicated email address
- Provide adequate training to relevant employees to ensure they are aware of the new requirements
The GDPR expands existing set of rights provided in the 1995 Data Protection Directive (such as the right to access, right to rectification and right to object to the processing of data) and introduces new rights, namely, a right to erasure, a right to data portability and a right to restriction.
Data controllers will be required to provide significantly more information about their processing activities to data subjects, which means that organisations acting as data controllers will be directly impacted by the rights afforded to data subjects and will have to update and adapt their existing processes.
General requirement of transparency and right of information
Under the current legislative framework, data controllers are already required, in order to comply with the general principle of fair and transparent processing, to provide information to individuals about the processing of their data. The GDPR extends the list of mandatory information, which must be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
In other words: be clear!
What? In practice, such information is usually contained in privacy policies or IT charters, whether internal or external, provided to data subjects at the time they interact or contract with the data controller (for providers, clients, etc.) or when they are hired (for employees) and any update of these documents must be notified to data subjects. Such information can also be included in agreements concluded, either within a data protection clause or a specific exhibit.
In a nutshell, such documents will have to contain information including but not limited to, the identity of the data controller, the purpose(s) of the processing, the type of data processed, potential recipients to whom the data might be disclosed, the existence of specific rights granted to data subjects and information on how to exercise them, whether the controller intends to transfer personal data to a third country and the appropriate safeguards taken (New), the period for which the data will be stored (New) and the right to lodge a complaint with a supervisory authority (New).
When? Where the controller has obtained information directly from data subjects, they must be provided with the above mentioned information at the time the data is obtained. Where the controller has not obtained information from data subjects directly, such information shall be made within a reasonable period (at the latest within 1 month except in some specific cases).
Right of access and rectification
In order to allow data subjects to enforce the rights they are granted in relation to the processing of their personal data, the existing legislation already obliges controllers, in specific circumstances, to provide data subjects with access to their personal data. In concrete terms, the controller must provide a copy of the personal data undergoing processing. Such right is however currently limited as data subjects have to prove they have a legitimate interest to such request. The GDPR removed such requirement and has considerably expanded the categories of information which must be supplied in connection with a data subject access request.
What? The right of access grants data subjects with the possibility to obtain within a reasonable period: (i) confirmation of whether, and where the controller is processing their personal data, (ii) information about the purpose(s) of the processing, (iii) information about the categories of their personal data being processed, (iv) information about the categories of recipients with whom the data may be shared, (v) information about the contemplated retention period; (vi) information about the existence of data subjects rights (the rights to erasure, to rectification, to restriction of processing and to object to such processing), and (vi) the existence of a right to make a complaint to the Data Protection Authority.
How? The controller must give effect to the rights of access and rectification free of charge (this is also true concerning the right of erasure and the right to object). The controller is however entitled to charge a reasonable fee for repetitive requests.
When data about an individual is inaccurate or incomplete, individuals have the right to request a rectification. Such rectification must be made without undue delay.
Right to object to processing
Data subjects maintain their right to object to the processing of their personal data.
What? Data subjects have the right to object to the processing of personal data, at any time and on grounds relating to their particular situation, where the basis for that processing is necessary for the performance of a task carried out in the public interest or for the purposes of the legitimate interests pursued by the controller.
The GDPR expressly grants data subjects the right to object to the processing of their personal data for the purposes of direct marketing (including the right to object to profiling related to direct marketing).
The controller must cease such processing unless the latter demonstrates (i) compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or (ii) that it processes such data for the establishment, exercise or defence of legal claims.
Right to erasure ("right to be forgotten") New!
The right that received the most attention is the so called “right to be forgotten”. Although the 1995 Directive already provides data subjects with the possibility to ask for personal data to be deleted once such data is no longer necessary, the right to be forgotten emerged from the CJEU ruling C-131/12 of 13 May 2014 baptised “Google Spain v. Costeja”. The GDPR codifies such right.
What? Data controllers will be required to erase personal data upon request from the data subject (and without undue delay) provided that (i) the data is no longer necessary for the initial purpose for which it was collected, (ii) the processing (and there exists no overriding legitimate grounds for the processing – see above), (iv) the data is unlawfully processed, (v) the personal data has to be erased for compliance with a legal obligation, or (vi) the data has been collected in relation to the offering of information society services to a child.data subject withdraws consent (when the processing relies on such consent), (iii) the data subject objects to the
The right to erasure must always be assessed in light of the right to freedom of expression and information of the public. Balancing these fundamental rights can prove to be a perilous exercise, which has given rise to abundant case-law.
Luxembourg courts recently had to deal with their first case involving the right to be forgotten in proceedings involving a request addressed to Google Inc. of de-listing of the links to web-pages published by third parties containing information relating to the plaintiff from the list of results displayed by the Google Search Engine following a search made on the basis of his name.
Right to restriction of processing New!
In lieu of requesting erasure of their personal data, data subjects may be entitled to limit the purposes for which the controller can process this data in the event the personal data is inaccurate, unlawful, or pending a decision on a complaint lodged by the data subject.
Where processing has been restricted, the controller can in principle only store the personal data and use it for limited purposes or such other purposes as the data subject may consent to.
Right to data portability New!
The right to data portability allows data subjects to obtain and reuse their personal data across different services, or move account details from one online platform to another (which implies the transfer of personal data). Processing must be based on consent or on a contract, and carried out by automatic means.
The data subject is entitled to request a copy of his or her data “in a structured, commonly used and machine-readable format”. The data subject can then transmit the data to another controller of their choice. Further, the controller can be required to transmit the data directly to another controller.
This being said, data portability is not an absolute right, and shall not apply to the extent it contradicts the rights and freedoms of others.
For some organisations, this new right to transfer personal data between controllers creates a significant additional burden, requiring organizations to adjust their system to facilitate a data portability request. Such system must be able to provide the option to access, erase, restrict and adjust the data easily.
On 13 December 2016, the Article 29 Working Party (A29WP) issued guidelines on the way to interpret and implement the right to data portability, where it clarifies the conditions under which this new right applies and also provides concrete examples and criteria to explain the circumstances in which this right applies. The A29WP namely encourages industry stakeholders and trade associations to work together on establishing a common set of standards so that interoperability of the data format provided in the exercise of the data portability rights can be ensured.
Profiling and automated decision-taking
Individuals have a right not to be evaluated by companies solely on the basis of automated processing of their personal data to take decisions concerning them or for analysing or predicting their personal preferences, behaviours and attitudes, when such decisions produce legal effects or significantly affect the data subject. Examples of decisions that may significantly affect data subjects may include the automatic refusal of an online credit application or e-recruiting practices without any human intervention.
Such processing includes “profiling” which is defined by the GDPR as “any form of automated processing of personal data evaluating the personal aspects relating to a natural person, in particular to analyse or predict aspects concerning the data subject's performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, where it produces legal effects concerning him or her or similarly significantly affects him or her”.
Such significant automated processing can only be used if it is (i) necessary to enter into, or to perform, a contract between a data subject and controller, (ii) authorised by Union or Member State law; or (iii) based on the individual’s explicit consent. In addition to these requirements, appropriate statistical techniques must be used and transparency must be ensured. It shall also be outlined that such measures should not concern children.
Automated decision-taking based on sensitive data is further restricted.
The protection and strengthening of data subjects’ rights appears to be one of the main goals of the GDPR, but also a means to ensure effective protection of personal data.
Although controllers have a legal obligation to give effect to the rights of data subjects, they should use all reasonable measures to verify the identity of a data subject who requests access. Indeed, third parties might attempt to exercise a data subject's rights without proper authorisation to do so. Controllers are therefore permitted to ask data subjects to provide proof of their identity before giving effect to their rights.
Please bear in mind that infringements of the provisions relating to data subjects' rights are subject to the maximum level of fines under the GDPR, i.e. administrative fines up to 4 % of the total worldwide annual turnover of the preceding financial year.