Welcome to Part 2 of my series on the GDPR, the EU’s new rules on data protection which come into force on 25th May 2018. You can read Part 1 here. For Week 2 of the University of Groningen’s free course, accessible here, we focussed on the rights of data subject’s. I have provided a summary of these rights in this blog post.
First up, all data controllers must meet transparency and modality requirements. For transparency, data subjects must be provided with clear information on how their data will be collected, processed and used. For modalities, controller’s can give data subject’s information either written or orally once the subject has proven their identity. Information should be given free of charge unless it is an ‘unfounded or excessive request’ or the request is repetitive. One electronic copy of personal data may be given to subject free of charge. Additional copies can be charged at a small fee.
Data subjects rights can be restricted if the data is being collected in the interests of the public, for example, taxation or national security. Controllers must prove the need for restrictions to be put in place. Unsurprisingly, national security is expected to be the most widely used right of restriction.
Right to access
Data subjects can find out what, how and why data has been collected, how long it is stored for and who will access it.
Right to object
Data subjects can stop the processing of their data. Controllers can appeal this stoppage if they can prove the purpose of the collection overrides the rights and freedoms of the subject.
Right to restriction of processing
This differs from stopping processing outright and happens when the subject notifies the controller the data is inaccurate, if unlawful processing has occured, when data is no longer needed by controllers but subjects need it for legal matters, or when there is a dispute over whether data should be collected.
If data processing has been restricted, then data can be; processed but not stored in order to establish subjects legal claims, to protect others or if the collection is in public interest, as long as subject consents. Subjects must be informed by the controller when the restriction is lifted.
Right to erasure
This is more commonly known as ‘the right to be forgotten’ and happens in the following situations:
- personal data is not necessary for purpose
- subject withdraws consent with no overriding reason for continuing
- subject objects to processing with no overriding reason for continuing
- processing is unlawful
- deletion needed to comply with law
- data collected is to do with providing services to minors
The right to erasure does not apply if the controller has a right to freedom of information or is complying with EU or member state law, or if research is in public interest or part of a legal claim.
Right to data portability
Data must be given to subjects in a universal format so they can pass it to a new controller if they wish.
Right to lodge a complaint with a supervisory authority
If the subject thinks their data has been collected or processed in a way that goes against GDPR, they can lodge a complaint with the supervisory authority.
Right to an effective judicial remedy
The subject can bring judicial proceedings against the controller or processor if they are unsatisfied with the supervisory authorities handling of their complaint. The subject can also skip the supervisory authority altogether and go straight to a judiciary if they wish.
Right not to be subjected to a decision based only on automatic processing
Subjects can exercise this right is automatic processing will have legal consequences for them. This right is not applicable if the decision is either necessary for entering a contract, authorised by EU or member state, or the subject already consented. Under normal circumstances, controllers must help make decisions based on their knowledge so that the data processing is not solely automated.
Right to represented by organisations and others
Data subjects can engage not-for-profits to lodge complaints, receive compensation and exercise their rights on their behalf – this right only applies in these situations.
Right to compensation and liability
If a subject’s rights are proven to have been materially infringed, the subject must establish who is liable and request compensation. Controllers are normally liable unless it can be proved the processor acted independently. Neither are liable if events leading up to infringement happened before controller or processor was on board.
I hope these explanations of the right’s of data subjects have been useful. As before, every effort has been made to provide accurate information but if you do spot any errors, please let me know in the comments below.