GDPR – Individuals’ rights [first part of two]

The intention of GDPR is to strengthen and unify data protection for all individuals within the United Europe.

“Schuyler against Curtis and the Right to Privacy”, Judge Noble Hand (1897)

 

The following individual’s rights are covered under GDPR:

1. The right to be informed
2. The right of access
3. The right to rectification
4. The right to erasure
5. The right to restrict processing
6. The right to data portability
7. The right to object
8. Rights in relation to automated decision making and profiling.

I’ll cover these rights in two posts. Now, let’s go for the first four.

The right to be informed

This right ensures transparency, by communicating what individual’s personal data is being used. Check here on how to create privacy note for this. What and when to inform will depend on how the personal data was obtained.

The information you supply about the processing of personal data must crystal clear and free of charge.

The right of access

Individuals have the right to check lawfulness on how their personal data is being used, so they need to easily access it (and at reasonable intervals – where possible the controller should provide remote access to a secure system which would provide the data subject with direct access to his or her personal data).

Recital 63 provides further detail on this right. Notice that excessive requests can be charged. You have to provide the information without delay and under one month. For complex requests, you can extend the period of compliance up to two additional months, by informing within one month of request receipt (and explaining the reason for extension).

A convenient checklist for handling subject access requests is available from ICO.

The right to rectification

The data subject has the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her.

Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

This right is covered in Article 16 – Right to rectification and further detailed with Recital 65 – Right of rectification and erasure.

The right to erasure

This right has been expanded from previous provisions regarding erasure in the soon to be replaced Directive 95/46/EC.

The controllers must erase personal data if one of these cases applies:

• Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed
• When the individual withdraws consent
• When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing
• The personal data was unlawfully processed (ie otherwise in breach of the GDPR)
• The personal data has to be erased in order to comply with a legal obligation
• The personal data is processed in relation to the offer of information society services to a child.

Eraser by Alex Morfin

As a controller, you can refuse to comply with a request for erasure where the personal data is processed for the following reasons:

• to exercise the right of freedom of expression and information
• to comply with a legal obligation or for the performance of a public interest task or exercise of official authority
• for public health purposes in the public interest
• archiving purposes in the public interest, scientific research historical research or statistical purposes
• the exercise or defence of legal claims.

That right is relevant in particular where the data subject has given his or her consent as a child and is not fully aware of the risks involved by the processing, and later wants to remove such personal data, especially on the internet (from Recital 65). The data subject can exercise this right when he/she is no longer a child. Note there are quite a few cases where the controller can still keep the information.

The second part of this post will describe the other four individuals’ rights, which include two new rights (Art. 18 – Right to restriction of processing and Art. 20 – Right to data portability).

Tags: 2017, access, erasure, GDRP, individual rights, rectification, RTBF, SAR, to be informed