Both the UK and EU GDPR (General Data Protection Regulation) grant data subjects certain rights over their data, which, if exercised, data controllers must facilitate.
Along with the data protection principles, the data subject rights – outlined in Articles 12–22 – are fundamental to the Regulation.
Individuals suffer when their personal data is lost, stolen or abused, so those who process it must look after it properly. Furthermore, organisations don’t own that data – it continues to belong to the individual, which the eight data subject rights reflect.
Let’s go through them all.
In this blog
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights related to automated decision-making, including profiling
1. The right to be informed (Article 13 and Article 14)
You need to tell individuals:
- What personal data you’re collecting from them;
- How you’re using it (or will be using it);
- How long you’re keeping it for; and
- Various other information.
Most data controllers choose to communicate this information via a privacy notice (but this isn’t your only way to facilitate this right).
2. The right of access (Article 15)
Data subjects may request a copy of the personal data you’re processing (on that data subject), as well as information you must also share under Articles 13 and 14 (the right to be informed).
This includes:
- The purpose(s) of processing;
- The categories of personal data;
- The recipients of the personal data;
- Whether automated decision-making is taking place, its significance, and envisaged consequences for the data subject; and
- Whether you’re transferring the data internationally, and if so, what safeguards are in place.
You must also inform data subjects of their other GDPR rights. That includes the right to lodge a complaint with the supervisory authority. In the UK, that’s the ICO (Information Commissioner’s Office).
When a data subject exercises their right of access, we usually refer to this as a DSAR (data subject access request). But they’re not obliged to use that (or any other) specific phrase for their request to be valid.
When someone exercises this right, you must respond within one month.
Free webinar on demand: How to ensure DSAR compliance
3. The right to rectification (Article 16)
One of the key GDPR principles (Article 5(1)(d)) is ‘accuracy’.
Related to that principle is the ‘right to rectification’. If exercised – meaning that a data subject alerts you to incorrect personal data on them – you (the data controller) must correct it.
The right to rectification also means that if a data subject points out that, within the purposes of data processing, the data on them is incomplete, you must complete it.
When someone exercises this right, you have one month to, if applicable, make the corrections and respond to the data subject.
4. The right to erasure (Article 17)
The right to erasure is also known as the ‘right to be forgotten’. It obliges you to erase someone’s data if they ask you to, where any of the following applies:
- The processing was unlawful to begin with.
- The data subject has withdrawn their consent.
- You need to destroy the data to comply with a legal obligation.
- You no longer need the personal data for the purpose(s) for which you collected it.
- You were collecting the data to offer information society services directly to a child.
- The data subject can legitimately object to the processing (see ‘the right to object’ below).
This right isn’t absolute, and you don’t need to delete the data if you still need the data to comply with a legal obligation, for example, or need it for reasons of public interest or archiving purposes.
If you receive a request to be forgotten, you must respond within one month – either having actioned the request, or to explain why you need to keep (some of) their data.
5. The right to restrict processing (Article 18)
If a data subject exercises this right, you may store their data but not process it. (The restriction normally only applies for a limited time.)
Someone may exercise this right because:
- They’re contesting the accuracy of the personal data;
- The processing is unlawful, but the subject doesn’t want their data destroyed;
- They’re challenging whether your legitimate grounds for processing override their interests; or
- You don’t need the personal data anymore, but the subject needs it to establish, exercise or defend a legal claim.
Again, if exercised, you must respond within one month.
Finding this blog useful? To get notified of future
expert insight like this, subscribe to our free
weekly newsletter: the Security Spotlight.
6. The right to data portability (Article 20)
This right allows people to obtain their data from you in a “structured, commonly used and machine-readable format”, so they can easily reuse their data for other purposes.
Someone will typically exercise this right when they’re changing providers – for their mobile phone contract, for example. That said, this right may be exercised in any circumstances where the data subject wants to have their personal data transferred to a different controller.
Data subjects can only exercise this right if:
- They provided their data under the lawful basis of consent; and
- Where the processing is carried out by “automated means”.
Put differently, they can only exercise it where the transfer is “technically feasible” (Article 20(2)).
7. The right to object (Article 21)
Article 21(1) of the GDPR says:
The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on points (e) or (f) of Article 6(1) [to perform a task in the public interest or for a legitimate interest], including profiling based on those provisions.
The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
Article 21(2) also specifies that data subjects can object to their data being used for direct marketing purposes “at any time” – meaning that this is an absolute right.
Where someone objects to a processing activity, and you can’t provide good grounds for overriding that objection, you must stop that processing (but you can keep the data if you’re using it for a different, lawful activity).
Whether or not you comply with a data subject exercising their right to object, you must inform them of your decision within one month of receiving the objection.
8. Rights related to automated decision-making, including profiling (Article 22)
People have the right not to be subject to any automated decision-making with potentially legal or similarly significant consequences for them, unless:
- You need to conduct the processing to enter into a contract with the data subject;
- You’re required or authorised by law to conduct the processing; or
- The data subject has explicitly consented to the processing.
Where you may proceed with the processing, you must:
- Inform the data subject about the processing;
- Enable them to easily request human intervention or challenge a decision; and
- Regularly review your systems to make sure they’re working as intended.
Need help to manage complex DSARs?
Our sister company GRCI Law’s team of data privacy lawyers and DPOs (data protection officers) – with extensive experience dealing with complex DSARs – can help you.
Get dedicated support with DSARs, including:
- To review and assess the nature and validity of the DSAR;
- Advice on search terms and data to include in the scope of the DSAR;
- To screen the collated data and apply any lawful exemptions; and
- Guidance on how to document the facts relating to the DSAR.
GRCI Law is a specialist legal and compliance consultancy – it only advises on data protection and data privacy matters, with decades of experience and a solid track record.
We first published a version of this blog in March 2021.
The post GDPR: Data Subject Rights and Organisations’ Responsibilities appeared first on IT Governance UK Blog.