How to make GDPR easy: Focus on data subject’s rights

Welcome to Part 2 of my series on the GDPR, the EU’s new rules on data protection which come into force on 25th May 2018. You can read Part 1 here. For Week 2 of the University of Groningen’s free course, accessible here, we focussed on the rights of data subject’s. I have provided a summary of these rights in this blog post.


How to make GDPR easy: Focus on data subject's rights | Prior Portfolio | Vicky Prior - Freelance Writer

First up, all data controllers must meet transparency and modality requirements. For transparency, data subjects must be provided with clear information on how their data will be collected, processed and used. For modalities, controller’s can give data subject’s information either written or orally once the subject has proven their identity. Information should be given free of charge unless it is an ‘unfounded or excessive request’ or the request is repetitive. One electronic copy of personal data may be given to subject free of charge. Additional copies can be charged at a small fee.

Data subjects rights can be restricted if the data is being collected in the interests of the public, for example, taxation or national security. Controllers must prove the need for restrictions to be put in place. Unsurprisingly, national security is expected to be the most widely used right of restriction.

Right to access

Data subjects can find out what, how and why data has been collected, how long it is stored for and who will access it.

Right to object

Data subjects can stop the processing of their data. Controllers can appeal this stoppage if they can prove the purpose of the collection overrides the rights and freedoms of the subject.

Right to restriction of processing

This differs from stopping processing outright and happens when the subject notifies the controller the data is inaccurate, if unlawful processing has occured, when data is no longer needed by controllers but subjects need it for legal matters, or when there is a dispute over whether data should be collected.

If data processing has been restricted, then data can be; processed but not stored in order to establish subjects legal claims, to protect others or if the collection is in public interest, as long as subject consents. Subjects must be informed by the controller when the restriction is lifted.

Right to erasure

This is more commonly known as ‘the right to be forgotten’ and happens in the following situations:

  • personal data is not necessary for purpose
  • subject withdraws consent with no overriding reason for continuing
  • subject objects to processing with no overriding reason for continuing
  • processing is unlawful
  • deletion needed to comply with law
  • data collected is to do with providing services to minors

The right to erasure does not apply if the controller has a right to freedom of information or is complying with EU or member state law, or if research is in public interest or part of a legal claim.

Right to data portability

Data must be given to subjects in a universal format so they can pass it to a new controller if they wish.

Right to lodge a complaint with a supervisory authority

If the subject thinks their data has been collected or processed in a way that goes against GDPR, they can lodge a complaint with the supervisory authority.

Right to an effective judicial remedy

The subject can bring judicial proceedings against the controller or processor if they are unsatisfied with the supervisory authorities handling of their complaint. The subject can also skip the supervisory authority altogether and go straight to a judiciary if they wish.

Right not to be subjected to a decision based only on automatic processing

Subjects can exercise this right is automatic processing will have legal consequences for them. This right is not applicable if the decision is either necessary for entering a contract, authorised by EU or member state, or the subject already consented. Under normal circumstances, controllers must help make decisions based on their knowledge so that the data processing is not solely automated.

Right to represented by organisations and others

Data subjects can engage not-for-profits to lodge complaints, receive compensation and exercise their rights on their behalf – this right only applies in these situations.

Right to compensation and liability

If a subject’s rights are proven to have been materially infringed, the subject must establish who is liable and request compensation. Controllers are normally liable unless it can be proved the processor acted independently. Neither are liable if events leading up to infringement happened before controller or processor was on board.

I hope these explanations of the right’s of data subjects have been useful. As before, every effort has been made to provide accurate information but if you do spot any errors, please let me know in the comments below.

2 Comments

Leave a Comment

Your e-mail address will not be published. Required fields are marked *