When the General Data Protection Regulation (GDPR) was enforced back in 2018, it granted individuals eight data subject rights, that had one common goal- to give individuals control over their personal data.
While some of the rights were already introduced through the earlier legislature (like the right to access) and further enhanced, some of the rights are novelties unique to the GDPR – like data portability.
1. Right to be informed
The right to information allows individuals (data subjects) to know what personal data is collected about them, why, who is collecting data, how long it will be kept, how they can file a complaint, and with whom will they share the data.
To be more precise, the organization (data controller) is obligated to provide information about:
• controller’s information and contact details
• purpose of data processing
• legal basis for personal data processing
• third party details
• data retention period,
• rights granted to the data subject under the data protection law,
• the right to file a complaint,
• whether the provision of personal data is a statutory or contractual requirement,
• whether the individual is obligated to provide the personal data and so on
All this information needs to be communicated in plain and clear language.
2. Right of access
Individuals have a right to submit subject access requests and attain information from the organization about whether their personal information is being processed.
The organization is then obligated to provide a copy of personal data they have about the individual and additional information including:
- what is the purpose of the processing
- what categories of personal data they are processing
- with whom the data is shared (third countries or international organizations)
- how long will the organization keep the data (data retention period)
- information about their GDPR rights (right to rectification, right to erasure, restriction of processing…)
- the existence of automated decision-making, including profiling
- what is the source of collected data (if the data is not collected from the individual)
Find out more about what information are you obligated to provide in a DSAR response? Who Can Submit a DSAR?Deadline for Responding to the DSAR? Can You Refuse to Respond to a DSAR?
3. Right to rectification
The right to rectification allows the individuals to ask the organization to update any inaccurate or incomplete data they have on them.
If the organization confirms that the data is inaccurate, the legal deadline to respond to a request is one month. Upon the request, the organization should take steps to ensure that the data is indeed inaccurate and rectify it.
This right sets new operational challenges for organizations, since rectifying one data set can have wider consequences on the entire database.
4. Right to be forgotten
The right to be forgotten is also known as the right to erasure. This right allows individuals to ask for their personal data to be deleted if:
- the personal data is no longer necessary
- an individual withdraws consent
- the personal data have been unlawfully processed
- Individual objects to the processing and the data controller has no reason to continue processing
- data erasure is necessary for compliance with a legal obligation (EU law or national law)
Although there are situations where organizations can decline the request. For instance, for reasons in the public interest or compliance with legal obligations.
If a data subject exercises their right to erasure, the organization has to notify any third parties with whom the data was shared and request the erasure of data.
The organization has to comply unless it can prove that the request would require a disproportionate effort or if it is impossible to comply.
This means organizations are now facing a new challenge- notification of third parties.
For organizations that are sharing their data with a large number of third parties, this requires new procedures and notification systems, which can complicate compliance progress.
Click on the link below to find out more:
5. Right to restrict processing
Individuals can request that an organization limits the way it uses their personal data. To put it plain and simple, the organization is not obligated to delete the data, however, they have to refrain from processing it.
However, it can only be applied in certain situations:
- if the data is inaccurate (during the verification process)
- if the processing is unlawful but the individual does not want the data to be erased and requests restriction (which is different from the right to be erased)
- the data controller no longer needs data, but the individual wants the data to be preserved so the legal claim can be exercised
- the organization is taking measures to verify the data erasure request
Once the data is restricted organization is not allowed to process it unless they have the individual’s consent, they need it for legal claims or to protect the rights of other individuals.
6. Right to data portability
Data portability is one of the novelties among data subject rights, it allows individuals to obtain their own personal data that they have previously provided to the organization in a structured, commonly used, and machine-readable format.
Individuals can also request for their data to be transferred directly to another organization.
However, it can only be applied to the data that an individual has provided to the organization (data controller) by consent or contract and if the processing is carried out by automated means- no papers.
This is also applicable to data related to the behavior of the individual and may include search inquires, location data, website history, and more.
7. Right to object to processing
The right to object allows individuals to object to the processing of personal data at any time, in certain situations and it will depend on the purpose of processing and the lawful base for processing.
Individuals can stop the processing of their personal data for direct marketing purposes as this is their absolute right. However, they can also object to the processing of data on the grounds of legitimate interest, or the tasks in the public interest.
8. Rights in relation to automated decision making and profiling
The GDPR introduced strict rules when it comes to the processing of personal data that is done without human involvement.
This includes different types of profiling, which may include evaluating certain personal aspects relating to an individual that analyses or predicts aspects of behavior like performance at work, economic situation, health, personal preferences, interests, reliability, behavior, or location.
The data subjects now have the right not to be subject to automated decision-making if it is producing a legal effect that significantly affects them.
However, it will not apply if the processing is necessary for the performance of a contract, if it is authorized by the law, or if the processing is based on explicit consent. Find out more about explicit consent!
Violation of data subject rights
Any violation of data subject rights provokes the highest penalties under the GDPR, up to €20 million euros, or up to 4 % of their total global turnover of the preceding fiscal year, whichever is higher.
This represents a real risk for the organization, both financial and reputational since the operationalization of the data subject rights remains one of the compliance challenges.
Operationalization of data subject rights
When an organization collects and processes personal data in large quantities the automation of the process is the key. Privacy solutions such as Data Privacy Manager serve as a platform for the orchestration and management of data subject rights.
It automates the entire process so that the IT systems, where the data is stored, can execute user requests timely and accurately. The process becomes an automated workflow with clear insight into the process.
From the registration of request, through the process of the request approval and data processing, to the notification of the data subject about the outcome of the request.
Most importantly, Data Privacy Manager represents one central place for the supervision of requests and provides DPO with all the information necessary for managing data subject requests within the limits of the response date.