The GDPR sets out the rights data subjects have in relation to their personal data, the proper exercise of which allows them to have a better understanding of, and more control over, their personal data. The GDPR obliges organisations to provide transparency on their data processing methods and restore individuals’ sense of control over their personal data. It sets time limits for organisations to respond to subject access requests and introduces new rights, such as the right to data portability, that address some of the outstanding issues that have arisen since the development of the Data Protection Directive (DPD), which is at the basis of much of the GDPR.
From an organisational point of view, the key issue is to fully understand these new or extended rights, and to determine the systems and processes that will need to be introduced or altered in order to comply with the GDPR.
It is especially crucial to ensure that data subjects’ rights are protected because data subjects are entitled to complain to supervisory authorities131 and seek judicial remedies132 against controllers and processors for damages (both material and non-material) arising from breaches of the GDPR.133 In other words, the controller is directly liable for the damage caused by processing that infringes the Regulation. The controller is responsible for ensuring the security of any personal data that is passed to a processor, whether that processor is inside or outside the European Union.
Article 12 of the GDPR describes what controllers have to do in terms of providing data subjects with information about the processing that is to occur, and about making them aware of their rights.
A data subject is entitled to know what personal data of theirs is being processed, the lawful basis of that processing, as well as whether or not their personal data is being processed by the controller or by a third-party processor, to find out the purposes of processing their data, including how long it will be stored by the controller, and to be provided with supplemental information about the processing.
The GDPR states that this information must be presented to the data subject “in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child”134. This statement extends the sentiment of the DPD, which merely requires such information to be “in an intelligible form”135. Organisations will need to confirm that their current practices (which should already be in line with the DPD) meet these new requirements for transparency.
A data subject also has the right to lodge a complaint with a supervisory authority against the controller under Article 77 if they believe the processing of their personal information infringes the Regulation.
If personal data is transferred to a third country outside of the EU or to an “international organisation” (which is any organisation governed by public international law or based on an agreement between two or more countries136), the Regulation stipulates that the data subject has the right to be informed of the safeguards put in place relating to this transfer.
Furthermore, the data subject has the right to request their information is rectified, removed or that its processing is restricted by the controller.
The information about the processing of personal data and the rights of the data subjects (and how to exercise those rights) are typically contained in a document called a privacy notice. Privacy notices must be provided to data subjects when the data is collected or, if it is not collected directly from the data subject, before first use of the data and typically within 30 days of collection.
Articles 13 and 14 of the GDPR set out the minimum requirements for the content of such privacy notices. An Article 13 notice deals with data collected directly from data subjects and Article 14 deals with personal data collected other than from the data subject directly. The issue of updated and GDPR-compliant privacy notices should be seen as one of the most basic of GDPR compliance practices.
The right to access
Both the Regulation and the DPD stipulate that the controller must provide data subjects with access to the following information: a copy of their personal data, the purposes of processing their data, the categories of the data being processed, and the third parties or categories of third parties that will receive their data137. This is called a data subject access request (DSAR), and organisations should have in place tried and tested processes for identifying such requests and responding to them. An inadequate response might, in future, trigger either a complaint to a supervisory authority or a court action, or both.
The GDPR requires data controllers to respond to a DSAR “without undue delay and in any event within one month of receipt of the request”138. The explicit one-month deadline, unlike the more vague DPD requirement to respond “without constraint at reasonable intervals and without excessive delay or expense”139, could be a little tight for some organisations, particularly if a large number of requests are filed at one time, or complicated post-processing of the information is required to make it intelligible and identify the data subject. The Regulation, therefore, allows the period to be extended by two further months where necessary, but the controller must inform the data subject of any extension within the original one-month time limit and explain the reasons for the delay.
If the information is requested electronically, it must be provided electronically. The information may be supplied in a variety of other formats, but this should generally be agreed with the data subject, and the controller must first confirm the identity of the data subject making the request140. These requirements could impose costs on organisations that use special formats to store data, or that only hold paper records.
Personal data provided in response to a data subject access request must be provided free of charge under the GDPR. This is a marked change from the DPD. In the UK, for example, Section 7 of the DPA allowed data controllers to charge up to £10 per information request, or up to £50 for paper-based health and education records (which are charged using a sliding scale from £1 to £50 depending on the number of pages provided).
Not all personal data is covered under the Regulation, and if an individual makes “unfounded or excessive” requests141, the controller has the right to refuse an information request or to charge a “reasonable fee” to cover the resulting administrative costs. The data subject must also be informed within at least one month of receipt of the request with the reasons for not taking action.
However, as the Regulation does not clarify these terms, it will be up to the organisation to prove both that the requests are “unfounded or excessive” and that the fees they wish to charge are “reasonable”. Failure to do so could be interpreted as obstructing the data subject’s rights and freedoms, which is subject to the highest level of administrative fine142. There is potential, therefore, for high volumes of frivolous information requests. Organisations will have to assess the risk of this happening and put in place appropriate safeguards to manage such occurrences.
The GDPR extends this right to give data subjects access to additional information, including the period of time for which the data will be stored and, if this is not possible, the criteria used to determine the retention period.
The right to rectification
The data subject has the right to rectify any inaccuracies in the personal data held about them. Article 16 of the GDPR states that “the data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her”143. Inaccurate data includes incomplete data, so data subjects can also request that the controller completes any partial data, which might be achieved by providing the controller with a supplementary statement.
As this right is closely linked to the right to access, it would be sensible to link the processes used to support these two rights. For instance, if your customers view their personal data online, you might use the same web interface to allow your customers to edit their personal data.
The right to be forgotten
Under Article 17 of the GDPR, data subjects can request that information be erased if they withdraw consent or there is an issue with the underlying legality of the processing.
Organisations will not have many options for refusing to remove personal data. This could be especially problematic for data collected over an extended period of time or in a variety of formats. It’s vital either to establish a process or to review your current processing activities to ensure all such data can be permanently deleted as and when it is necessary. Data mapping, as described in Chapter 7, will also be essential to ensuring that you can identify all locations from which data will need to be erased.
The right to erasure can be exercised under a number of circumstances. Where the DPD simply required data to be deleted “as appropriate”144, the GDPR states that the data subject can have the personal data erased “without undue delay” under a number of specific circumstances145:
- When the personal data are no longer necessary for the purpose they were collected or otherwise processed.
- If the data subject withdraws consent to processing, assuming there is no other legal justification for processing.
- If the data subject objects to processing based on legitimate interests and the controller cannot demonstrate any overriding legitimate grounds for the processing.
- If the data must be erased under a legal obligation in the European Union or Member State law that applies to the controller.
- If the data was collected in relation to “information society services”146.
- If the data has been unlawfully processed, in breach of the Regulation.
While the conditions for erasure may seem relatively straightforward, the complete removal of an individual’s personal data is more complicated, particularly within the online world. If the controller has made personal data public or passed the data onto other processors, it must inform other processors of the erasure request. Anyone who understands the Internet will recognise that removing all references to a person from every webpage, news article, search results page or database is likely an impossible task.
The complexity of handling erasure requests is reflected in Article 17 of the GDPR, which states that the controller is obliged to erase the personal data that has been made available to the public by “taking account of available technology and the cost of implementation, [and taking] reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data”147.
The obligation to take “reasonable steps” makes erasure requests a more achievable goal for most organisations and strengthens the data subject’s rights in the digital landscape.
Furthermore, organisations are not automatically obliged to fulfil deletion requests under the GDPR if holding or processing the personal data is necessary:
- to protect the right of freedom of expression and information,
- to comply with a European Union or Member State legal obligation,
- to perform a task in the wider public interest or exercise of official authority,
- for public health reasons,
- for archiving, scientific or historical research or statistical purposes,
- for the establishment, exercise or defence of legal claims.148
It is possible, of course, that the supervisory authority will disagree that your particular basis for refusing to erase the data meets these criteria, so it may be necessary to liaise with it on the finer points of the exemptions.
The right to restriction of processing
The right to restriction of processing effectively allows data subjects, under certain specific circumstances, to prevent controllers from conducting specific processing of their data. It means that, although an organisation can store the personal data, it cannot process the data unless the individual gives their consent to lift the restriction or the processing is necessary for the establishment of legal claims, to protect the right of another person or in the interests of the wider public.
Organisations may need to consider what changes are required to address the logistical issues presented by this right. For example, an organisation may have to segregate the affected data from standard data processing systems, which may require additional functionality and storage resources.
If the data has been disclosed to any third parties, these third-party recipients must be notified of the restriction to further processing as far as is reasonably possible.
An individual has the right to restrict the processing of their data if:
- they contest the accuracy of the personal data, thereby restricting processing for long enough to allow the controller to verify its accuracy;
- the processing of the data is unlawful, but the data subject does not want their data to be erased and instead requests the restriction of their use;
- the controller no longer needs the personal data for the purposes of processing, but the data subject requires that data to establish, exercise or defend legal claims (this condition could require controllers working in certain sectors to retain records of former customers);
- the data subject objects to the processing of their data in accordance with the right to object and restriction is used while the controller seeks to verify the legitimate grounds for continuing processing.149
Your internal process for responding to restriction requests therefore needs to include a step where the grounds for the request are compared with criteria for restricting and a formal sign-off process to ensure that appropriate decisions are taken and implemented.
Restrictions are not explicitly required to be permanent, so you should ensure that whatever mechanism you use to suspend processing of personal data can be reversed.
The right to data portability
Under the right to data portability, data subjects can request copies of their personal data in a useful electronic format. This right aims to improve the accessibility of information, and is stated in the GDPR as below:
The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.150
The right to data portability ensures that the data subject can see the specific data that the controller holds, as well as being able to transfer that data to another controller. For instance, if the data subject is trying to change banks, they will be able to readily obtain all of the pertinent information that their new bank needs.
This right only applies where the original processing is based on the data subject’s consent or fulfilment of a contract they are party to, and if the processing is automated. It also only applies to data that the data subject has provided to the data controller themselves.151 This is a reasonably narrow specification, so organisations shouldn’t need to suddenly start digging out data that hasn’t been processed using an automated system.
Handling requests to transfer data between controllers are common practice throughout many parts of Europe, and will now be required of all organisations. While it might not be particularly relevant to some businesses, it could be burdensome for others. Of course, this right also presents an opportunity to attract customers from competitors by, for example, removing the existing difficulties of setting up a new account.
The GDPR does not give specific guidance as to data transfer formats, but it is likely that common, readily accessible formats like CSV will be acceptable to both the data subject and the supervisory authority.
If the data being transferred relates to more than one individual, the transfer must not “adversely affect the rights and freedoms of others”152. Resolving this may require you to re-evaluate how data is stored so that individual data subjects can be segregated, it may involve applying some sort of anonymisation or, in some cases, determining whether it is even possible to provide this data without harming other data subjects’ rights and freedoms.
The right to object
Under the GDPR, once a data subject raises an objection, the onus is on the controller to demonstrate “legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims”153. Until this justification is provided, processing of that personal data must be suspended.
Individuals can object to specific types of data processing, including direct marketing, processing based on legitimate interests or in the wider public interest, and processing for research or statistical purposes. Only the right to object to direct marketing is absolute, so organisations that process data for the purposes of direct marketing should develop a simple method of removing an individual’s personal data from the set of data being processed154.
Organisations also have an obligation to inform data subjects of their right to object. This notification must “be presented clearly and separately from any other information”155 when the controller first communicates with the data subject. For online services, there must be an automated way for individuals to raise their right to object.
The Regulation obliges controllers to prove the need for data processing; to ensure clear and separate communication at the first point of contact; and to provide an automated method to object to processing as part of online services. You should address this obligation by conducting audits of your data protection notices and polices to ensure individuals are told about their right to object, and processes must be put in place to enable you to respond to data subjects’ requests. It will be difficult to comply with the law if you cannot find ways to quickly and effectively suspend processing of an individual’s personal data.
The right to appropriate decision making
Data subjects have the right “not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning [them] or similarly significantly affects [them]”156.
This right is similar to the equivalent rules under the DPD, which protect individuals from automated processing “intended to evaluate certain personal aspects relating to him, such as his performance at work, creditworthiness, reliability, conduct, etc.”157. This is slightly narrower than the protections afforded under the GDPR, which refers to the broader “legal effects”.
Under the Regulation, individuals must be able to trigger human intervention, express their point of view and obtain an explanation for a decision, and have the right to contest the resulting decision.
However, automated processing can take place if authorised by a European Union or Member State law158. The law itself must contain suitable measures to safeguard the individual’s rights and freedoms and ensure their legitimate interests are in place.
Further grounds on which automated processing can take place revolve around the fulfilment of a contract between the data subject and the controller, or if that individual has given explicit consent. To gain explicit consent, you’ll need to ensure that it is very clear to the data subject what they are agreeing to: simply adding a reference to profiling into a consent form, for instance, isn’t likely to pass any sort of legal test.
Where you are exempt from this right by contract or by consent, you’ll need to ensure that you implement “suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests”159. These should be assessed during any relevant DPIA and included as critical parts of your privacy compliance framework. Once again, remember that the data subjects’ rights have primacy over almost all other concerns, and breaches of those rights can result in the largest administrative fines.
131 GDPR, Article 77.
132 GDPR, Article 79.
134 GDPR, Article 12, Clause 1.
135 DPD, Article 12 a.
136 GDPR, Article 4, Clause 26.
137 GDPR, Article 15, Clause 1, and DPD, Article 12.
138 GDPR, Article 12, Clause 3.
139 DPD, Article 12 a.
140 GDPR, Recital 59 and Article 12, Clause 1.
141 GDPR, Article 12, Clause 5.
142 GDPR, Article 83, Clause 5.
143 GDPR, Article 16.
144 DPD, Article 12 b.
145 GDPR, Article 17, Clause 1.
146 An information society service is defined in the EU’s Information Society Directive as “any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services”. In other words, most services provided over the Internet.
147 GDPR, Article 17, Clause 2.
148 GDPR, Article 17, Clause 3.
149 GDPR, Article 18, Clause 1.
150 GDPR, Article 20, Clause 1.
151 The Article 29 Working Party has provided guidance in this area stating that it applies to information the data subject has knowingly and actively provided to the controller, but could also include data that may be observed from the data subject’s activity (http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083).
152 GDPR, Article 20, Clause 4.
153 GDPR, Article 21, Clause 1.
154 GDPR, Article 21, Clauses 2-3.
155 GDPR, Article 21, Clause 4.
156 GDPR, Article 22, Clause 1.
157 DPD, Article 15, Clause 1.
158 GDPR, Article 22, Clause 2 b.
159 GDPR, Article 22, Clause 3.