This series provides more detailed insight into the General Data Protection Regulation, which was published on 4 May 2016 and must be complied with by 25 May 2018.
This issue focuses on the rights of data subjects, excluding the right to data portability which was addressed in a previous issue . The data subject's control over the processing of his or her personal data is of the utmost importance. Therefore, the GDPR creates new rights for data subjects and strengthens their existing rights.
Skip to the end for a brief overview of the main takeaways and to do's.
Scope and description of various data subject rights
Right of access
The data subject has the right to know if the controller is processing his or her personal data and to request access to that data.
In addition, the controller must provide the data subject with the following information:
- the purposes of the processing;
- the categories of personal data concerned;
- the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries;
- where possible, the period for which the personal data will be stored or, if this information is not known, the criteria used to determine this period;
- the data subject's right to request from the controller the rectification or deletion of personal data or a restriction on the processing of his or her personal data and to object to such processing;
- the right to lodge a complaint with a supervisory authority;
- where the personal data are not collected from the data subject, any available information as to their source;
- the existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject;
- the appropriate safeguards taken by the controller with regard to transfers of personal data to third countries.
At the request of the data subject, the controller must provide free of charge a copy of the personal data being or to be processed. For additional copies, a reasonable administrative fee may be charged. Where possible, the controller must provide remote access to a secure system allowing the data subject to directly access his or her personal data.
Where the controller processes a large quantity of information about the data subject, it can request that the data subject specify the information or processing activities to which his or her request relates.
Where personal data are processed electronically, the controller should also, if possible, provide means for data subjects to make requests electronically. If the data subject files an access request by electronic means, the controller must provide the information in a commonly used electronic form, unless the data subject requests otherwise.
If the access request would adversely affect the rights of the controller (or a third party), the controller may refuse to provide certain information (such as trade secrets).
Right to request rectification
The data subject has the right to request that the controller rectify inaccurate personal data or supplement incomplete personal data. The controller must inform each recipient of the personal data of the rectification, unless this proves impossible or would involve disproportionate efforts.
Right to request erasure or deletion of data
The data subject has the right to ask the controller to delete his or her personal data without undue delay where any of the following grounds applies:
- the personal data are no longer necessary for the purpose(s) for which they were collected or otherwise processed;
- the data subject withdraws the consent on which the processing is based , and there is no other legal ground for the processing;
- the data subject objects to the processing and there are no overriding legitimate grounds for the processing or the data subject objects to the processing for direct marketing purposes;
- the personal data have been unlawfully processed;
- the personal data must be deleted in order to comply with a legal obligation under European Union or Member State law to which the controller is subject;
- the personal data were collected in order to offer information society services to children.
Where the information to be deleted by the controller has been made public, the controller shall take reasonable steps to ask each recipient of the personal data to erase any links to and copies or replications of the personal data, unless this proves impossible or would involve disproportionate efforts.
Exceptionally, personal data need not be erased and third-party controllers need not be informed to the extent processing of the personal data in question is necessary:
- to exercise the right of freedom of expression and information;
- to comply with a legal obligation under EU or Member State law to which the controller is subject or to perform a task carried out in the public interest or in the exercise of official authority vested in the controller;
- for reasons of public health;
- for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with the provisions of the GDPR insofar as the right to erasure is likely to render impossible or seriously impair the achievement of the objectives of the processing; or
- to establish, assert or defend legal claims.
Right to impose a restriction on processing
The data subject has the right to obtain from the controller a restriction on the processing of his or her personal data where any of the following grounds applies:
- the accuracy of the personal data is contested by the data subject, in which case the restriction shall apply for the time necessary to allow the controller to verify the accuracy of the personal data;
- the processing is unlawful and the data subject opposes erasure of the personal data and requests that the use thereof be restricted instead;
- the controller no longer needs the personal data for the purposes of the processing, but they are still required by the data subject to establish, exercise or defend a legal claim;
- the data subject has objected to the processing based on a legitimate interest pending verification whether the legitimate grounds of the controller override those of the data subject.
The methods used to restrict processing can include:
- temporarily transferring the selected data to another processing system;
- making the selected data unavailable to users; and
- temporarily removing published data from a website.
In any case, the fact that processing of the personal data in question is subject to a restriction should be clearly indicated in the system.
Right to data portability
The data subject has the right to receive the personal data he or she provided to the controller in a structured, commonly used and machine-readable format and to transmit the data to another controller without being prevented from doing so by the initial controller where:
- the processing is based on consent or a contract; and
- the processing is carried out by automated means
If technically feasible, the data subject can request that the first controller transfer his or her personal data directly to another controller. For more information, please refer to the issue on data portability.
Right to object to the processing
The data subject has the right to object at any time to the processing of personal data concerning him or her:
- on grounds relating to his or her particular situation, grounds of public interest, and the legitimate interest ground, including profiling based on these grounds; and
- for direct marketing purposes, including profiling.
Right not to be subject to automated individual-decision making (including profiling)
The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
This right does not apply if the decision:
- is necessary to enter into or perform a contract between the data subject and a data controller;
- is authorised by EU or Member State law to which the controller is subject and which lays down suitable measures to safeguard the data subject's rights, freedoms and legitimate interests; or
- is based on the data subject's express consent.
Exercise of the data subject's rights
When a data subject exercises one of his or her rights, the controller must respond within one month from receipt of the request. This one-month period may be extended by two additional months, if so required due to the complexity and number of requests. In this case, the controller must inform the data subject of the extension.
If the controller does not wish to grant the data subject's request, it must inform the data subject, within one month from receipt of the request, of its reasons for not taking action as well as the data subject's right to lodge a complaint with the supervisory authority and seek judicial redress.
Any communication with data subjects regarding the exercise of their rights and actions taken in this regard shall be free of charge. However, where the requests of a data subject are manifestly unfounded or excessive, in particular due to their repetitive character, the controller may either charge a reasonable fee or refuse to act on a request. In this case, the controller bears the burden of proof.
When a data subject makes a request by electronic means, the controller shall provide the requested information by electronic means where possible, unless the data subject requests otherwise.
Takeaway's and to do's
Exercise of the Right
Right of access: right to obtain confirmation from the controller as to whether personal data are being processed, to access the data and to be provided with other items of information.
Right to rectification: right to request and obtain rectification of inaccurate data.
Right to deletion or erasure: right to obtain erasure of personal data without undue delay under certain circumstances.
Right to restrict the processing: right to restrict the processing of personal data under certain circumstances.
Right to data portability: right to receive personal data from the controller in a structured, commonly used and machine-readable format and to transmit the data to another controller without hindrance.
Right to object: right to object to the processing of personal data on grounds relating to the particular situation of the data subject and for direct marketing purposes.
Right not to be subject to automated individual decision-making: right not to be subject to a decision based solely on automated processing which produces legal effects concerning the data subject or similarly significantly affects him or her.
- The controller must respond to the request within one month.
- This one-month period may be extended by two additional months provided the data subject is informed thereof.
- If the controller does not wish to act on the request, the data subject must be informed of its reasons as well as his or her right to lodge a complaint with the supervisory authority and take legal action.
- The controller may refuse to act if the request is manifestly unfounded or excessive.
- The controller may not charge a fee unless the request is manifestly unfounded or excessive.
- When a request is made by electronic means, the controller must provide the requested information by electronic means where possible.
The rights of data subjects are not absolute. Certain rights are subject to the fulfilment of particular conditions or to restrictions.
- Put in place appropriate procedures to respond to requests of data subjects. The following factors should be considered: contact person for data protection requests, clear internal allocation of responsibilities, standard letters for refusal to act/extension.
- Work closely with IT. It is important that your IT systems ensure compliance with the data subjects' rights (including the possibility to erase data)
Recitals 63 to 73
Articles 12, 15-21 and 23