Continuing on from our GDPR series, with the first, second, and third posts, we are now going to address the topic of people’s privacy rights in detail. The GDPR gives people more control over their personal data by introducing new rights and organizations now have a limited time to respond to a customer’s request with regards to their data being used. In order to comply, organizations need to be transparent about the data they collect and what they will use it for.
The data rights of people are:
It is very important to protect and respect people’s data rights because if you don’t, they can now lodge a complaint (GDPR, Article 77.) and seek judicial remedies, both material and non-material. (GDPR, Article 79.) Your company or organization is directly responsible for any damage caused by processing and for the security of personal data that is passed to the processor.
Let’s explain each of these rights one by one.
1. The right to be informed
Your users and customers need to know all the information regarding the processing of their data and are entitled to have a privacy notice which informs them of the following:
Privacy notices should be written using clear and plain language and should be provided to the person when the data is collected. If you’re collecting the data from someone else, you should also inform the customer of the source and the kind of private data collected. In this case the privacy notice should be provided to the individuals within one month.
2. The right to access
Similar to the right to be informed, people have the right to know and ask if their data is being processed and:
This is simply called a data subject access request (DSAR). You will have to provide information within one month of receiving the request and can only extend the period with a justified cause for the delay. The information should be free of charge unless the individual makes repetitive and unfounded requests. In that case a reasonable fee can be charged. (Article 12.)
To respond to an access request, the first thing to do is to check the person’s identity and whether you are already processing their data. If the request is regarding large amounts of data, he or she should explain and specify which data should be deleted or adjusted. Also, check if the other people's data is involved and if so, filter the data. If the request was made in electronic form you should provide the information in the same way. Companies can refuse to comply with a subject access request if the information required can affect the rights and freedoms of others.
3. The right to rectification
People have a right to correct any data that is inaccurate or incomplete. If the data is passed to other companies or organizations they should be informed that the data is updated, as they should also update on their systems. The request can be made verbally or in writing. This right is tightly connected with the right to access.
4. The right to erasure (The right to be forgotten)
Companies should promptly delete data, when requested to do so under these following circumstances:
You must inform any third parties who are processing the same data, that the person requested to delete and to take reasonable steps and technical measures to erase that personal data. On the other hand, this right is not absolute because you can refuse to delete the data under these following circumstances:
The controller can refuse to erase the data if the request is exaggerated, unfounded or repetitive, but you need to justify the decision.
5. The right to restriction of processing
When people request to limit the way an organization uses their data, you can only store the data and not use it, except under these circumstances:
If the data has been passed to another organization, you should also inform them of the restriction so that they can also follow the request. This request is only temporary, especially if you need to check that the data is accurate or you need to establish that you have legitimate grounds to process the data and whether they will override the individual’s objection. The data subject needs to be informed before the restriction is lifted.
6. The right to data portability
The people also have a right to request to move or copy their personal data from one organization to another. It is better to transfer the data directly to the other organization securely in a digital format such as a RTF or CSV file.
This right can only apply:
7. The right to object
People can object to having their data processed, including profiling. Unless there are legitimate grounds such as where the request overrides the interests, rights and freedoms of others, or exercise or defence of legal claims, you must stop processing the data.
If an individual objects to having their personal data used for direct marketing, their data should be removed and no longer processed. In this case this right is absolute. People can also object to processing for research or statistical purposes, but only if processing is not necessary for reasons of public interest.
8. Rights in relation to automated decision-making and profiling
We have learned by now that the Regulation applies to all automated individual decision-making and profiling. It also aims to protect individuals if you are carrying out solely automated decision-making that has legal or similarly significant effects on them.
This decision-making can be carried out if it is:
With GDPR, people’s rights are an important part and they should not be ignored. Apart from being a condition for the highest penalties, they will definitely show that you are compliant with the Regulation and that you respect your clients’ rights. If you are not sure how to respond to people's access requests or how to transfer the data, double check what the Regulation says, it will help you to better understand your clients and to comply with legal requirements. And remember to follow our GDPR series.