GDPR Subject Rights
The main reason why GDPR law was created, in the first place, was to regulate how private data for EU citizens is controlled and processed, and in that aspect, it did give people, in their capacities as EU citizens, a range of specific data rights with regards to their personal data. The citizens, or data subjects – as we are going to refer to them in this article – can exercise these rights under particular conditions, and the data controllers – the organisations – must enable them to exercise these rights. This is, in fact, one of the requirements of GDPR compliance. Now, while there were some rights that were already introduced under the previous data protection law, there are several other rights that are unique to the GDPR, and in this article, we will take a look at all of them. The data rights include:
The right to be informed – this right allows the data subjects to know the data about them that is collected, why it is being collected, who is collecting the data, the time period the data will be kept, with whom the data is shared with, and lastly, how they can complain whenever issues arise. Now, all this information must be communicated to the data subjects clearly, and beforehand.
Right of access – EU citizens do have a right to submit data access requests when trying to find out how and whether their data is being processed by the organisation. When that happens, the organisation is required to provide the following information:
- What’s the purpose of the data processing?
- The categories of data being processed
- With whom the data is being shared
- Information regarding their GDPR rights
- The data retention period
- The source of the data being processed, especially if the data was not collected from the individual.
Right to rectification – The data subjects also have a right to rectify their personal at any time, when they find inconsistencies or inaccurate data, or even when the data is incomplete, and they want to update the information. There are instances where the organisation might notice and confirm the inaccuracy, and in that case, they will notify the data subjects, who will be required to respond within a month. The individual will allow the organisation to rectify the data. This however may present a number of operational challenges for the organisation, as rectifying may have an impact on the entire database.
The right to be forgotten – also known as the right to erasure, it allows the individuals to ask for specific data to be erased, especially if:
- The data is no longer necessary
- The individual withdraws consent
- The data was processed unlawfully
- The individual objects to data processing and the controller doesn’t have any reason to continue processing
- The erasure is necessary for GDPR compliance
However, there are instances when the data controller may decline the request, especially if the public interest is involved, or when being compliant with legal obligations. Now, whenever a data subject exercises their right to erasure, the data controller has the obligation to notify any third parties with whom the data was shared to erase the data as well.
The right to restrict processing – under the GDPR law, individuals can now limit how an organisation processes their personal data. This means that the organisation has to refrain from processing data without the individual’s consent. However, this happens when:
- The data to be processed is inaccurate
- The processing doesn’t adhere to any of the lawful basis
- The controller no longer needs the data, but the data subject wants it to be preserved for future use.
- Or, when the controller wants to verify a data erasure request.
Once a data subject exercises his/her right to restrict processing, the organisation is not allowed to process, unless with consent from the individual, in compliance with a legal claim, or in protecting the rights of other people.
The right to data portability – data portability allows the individual to obtain their own data that their previously provided to the data controller, in a structured, machine-readable, and commonly used format. Also, in exercising their right to data portability, data subjects can request their personal data to be directly transferred to another organisation. Keep in mind that this only applies to data the individuals provided to the organisation, either by contract or consent. It may also include any data that are related to the individual’s behaviour including location data, search inquiries, or even website history.
The right to object to processing – the individual can also object to the processing of specific data at any point in time, depending on specific aspects of data processing such as lawful basis as well as the purpose for processing. Even on grounds of legitimate interests such as legal purposes or when the processing is in the interest of the public, the data subject will be within his/her rights to object to the processing.
The right to reject/accept the automated decision making and profiling – as we have already mentioned, the GDPR did introduce several strict rules in terms of processing personal data, especially without involving the data subjects. This, of course, did include various types of profiling, including evaluating specific personal aspects that analyse and predicts individual behaviour such as performance at work, health, interests, personal preferences, location, reliability, or behaviour. On this aspect though, the data subjects now have a right to reject automated individual decision making, especially if it has a legal effect that directly affects them significantly.
Are the rights of data subjects under GDPR absolute?
Well, no, they are not! This is a pretty common misconception and it’s not true. Now, under no circumstances will these rights ever be lost, and we have to admit that they have transformed how organisations are handling EU citizens’ personal data. And while these rights are assured under the GDPR law, there are certain conditions where these rights won’t be granted. For instance, the right to restrict the processing of personal data can’t be exercised in instances where the purpose is to prevent an investigation, prosecution, and detention of criminal offences. Also, if data is being processed with the aim of preventing threats to public security, the data subjects won’t be able to exercise their right to restrict the processing. In another instance, the right to access personal data is, of course, exercised by a lot of individuals, and this is well within the GDPR regulations, however, if that access adversely affects the rights and freedom of other people, of course, it won’t be allowed.
So, as you can see, the rights of data subjects are not absolute. There are times when the rights will be allowed, and there are times they will be denied. There are also times when there might be charges applied before the data subjects’ rights are granted. Organisations must be aware of this and react accordingly.
What happens when organisations violate data subject rights?
If an organisation, data controller, violates the rights of individuals, it attracts some of the toughest penalties. You see, under the GDPR regulation, an organisation can be fined up to 20 million euros, or up to 4% of their total global turnover – whichever is higher. And that’s not all, you haven’t put into consideration the reputational damage the organisation will suffer as a result. So, this is a real risk, and organisations must be very careful when it comes to GDPR compliance.
Yes, the GDPR logistics might largely apply to organisations, as they are largely the data controllers and processors, but the truth is, the spirit of the regulations was all about protecting the data subjects. This is the reason why there were clear rights stated under the law, and some heavy penalties were introduced. Now, each of the data subject’s rights does reflect the principles of transparency and accountability woven through the entire legislation, from accessing the data, to updating it, and lastly, restricting or objecting to processing it in some cases. The eight data subject rights must be upheld by the data controllers and processors, failure to which will lead to GDPR violation, which will, in turn, attract significant fines.