GDPR Subject Rights

The General Data Protection Regulation (GDPR) is one of the most significant legislative acts to impact data privacy globally. Enacted by the European Union (EU) on 25 May 2018, the GDPR was designed to harmonise data protection laws across Europe while giving EU residents more control over their personal data. One of the most essential elements of the GDPR is the set of rights it affords to data subjects. These rights empower individuals to manage and protect their personal data, ensuring transparency, accountability, and security in how organisations process such data. This article provides an in-depth exploration of these rights, offering a detailed understanding of how they function in practice.

Understanding GDPR in Context

Before delving into the specific rights that GDPR provides to data subjects, it is important to understand the context and the significance of this regulation. The digital age has brought about an exponential increase in the collection, storage, and processing of personal data. Organisations ranging from small businesses to multinational corporations collect vast amounts of data for various purposes, including marketing, customer relationship management, and operations. This rapid growth, however, has also increased the risk of data breaches, identity theft, and privacy invasions.

The GDPR was created to address these concerns by giving individuals more control over their personal data. It applies to all organisations processing the personal data of EU citizens, regardless of where the organisation is based. Non-compliance with GDPR can result in substantial fines—up to 4% of annual global turnover or €20 million, whichever is higher—underscoring the importance of adherence to its rules.

What Constitutes Personal Data?

Under GDPR, ‘personal data’ refers to any information relating to an identified or identifiable individual, also known as the ‘data subject. This includes not only obvious identifiers like names, email addresses, and phone numbers but also more nuanced data such as IP addresses, location data, and online behaviour. The regulation aims to ensure that this data is handled responsibly and transparently, giving individuals a greater degree of control over their information.

The Rights of Data Subjects under GDPR

There are eight key rights provided by the GDPR to data subjects. These rights are designed to protect individuals’ data privacy and give them the tools to manage how their personal data is processed by organisations. Let’s explore each of these rights in detail.

The Right to be Informed

The right to be informed ensures that data subjects are provided with clear, concise, and easily understandable information about how their personal data is being processed. This includes details about why the data is being collected, what it will be used for, and who it will be shared with. Organisations must also inform individuals of their rights regarding the data and how they can exercise those rights.

Under the GDPR, this information must be provided at the point of data collection. For instance, if a company is gathering data through a website, it must provide a privacy notice or policy that explains all the relevant details in a way that is accessible to the average user. Organisations must avoid using overly complex legal jargon and instead opt for plain language.

The Right of Access

The right of access allows individuals to request access to the personal data that an organisation holds about them. This right is crucial in ensuring transparency and giving individuals the ability to verify that their data is being processed lawfully. When a data subject makes a request, organisations must provide the following:

  • Confirmation that they are processing the individual’s personal data
  • A copy of the data being processed
  • Details of the processing, such as the purpose, categories of data, any recipients of the data, and the retention period

The GDPR stipulates that organisations must respond to access requests promptly, generally within one month. There are limited circumstances where this period can be extended by two additional months, such as when the request is complex or if the organisation receives multiple requests from the same individual.

The Right to Rectification

Data subjects have the right to rectify inaccurate or incomplete personal data. This right is particularly important in cases where incorrect information could lead to negative consequences for the individual. For instance, if an individual’s address or contact information is incorrect, it could affect their ability to receive important communications or services.

Once a rectification request is made, the organisation is obligated to amend the data without undue delay. Like with access requests, the organisation typically has one month to respond, with a potential extension of up to two months in complex cases.

It is also worth noting that if an organisation has shared the data in question with third parties, they must inform those parties of the rectification, unless it proves impossible or involves disproportionate effort.

The Right to Erasure (The Right to be Forgotten)

The right to erasure, commonly known as the ‘right to be forgotten’, enables individuals to request the deletion of their personal data in certain circumstances. These circumstances include:

  • The data is no longer necessary for the purpose for which it was collected
  • The individual withdraws consent and there is no other legal basis for processing
  • The data has been unlawfully processed
  • The data must be erased to comply with a legal obligation

While the right to erasure is powerful, it is not absolute. There are specific exemptions, such as when the data is required for compliance with a legal obligation, for the exercise of the right to freedom of expression, or for public health purposes.

If an organisation has made the data public, such as by publishing it on a website, they are required to take reasonable steps to inform other data controllers that the individual has requested the erasure of any links or copies of the data.

The Right to Restrict Processing

In certain situations, individuals may wish to restrict the processing of their personal data without requesting its complete deletion. The right to restrict processing allows data subjects to request that an organisation limits the way it processes their data. This can be requested when:

  • The individual contests the accuracy of the data, and the organisation needs time to verify its accuracy
  • The processing is unlawful, but the individual does not want the data erased
  • The organisation no longer needs the data for its original purpose, but the individual requires it for the establishment, exercise, or defence of legal claims
  • The individual has objected to processing, and the organisation is considering whether its legitimate grounds override those of the individual

While processing is restricted, the organisation can store the data but must not process it in any other way unless the individual gives consent, the processing is necessary for legal claims, or it is in the public interest.

The Right to Data Portability

The right to data portability allows individuals to obtain and reuse their personal data across different services. This right is particularly relevant in the context of online services where individuals may wish to transfer their data from one platform to another. For example, someone may want to switch from one social media network to another or move their financial data from one banking service to a competitor.

Data subjects have the right to receive their personal data in a structured, commonly used, and machine-readable format, and they can request that the data be transferred directly from one organisation to another, where technically feasible. However, this right only applies to data processed by automated means and does not apply to paper records.

It’s also important to note that the right to data portability applies only when the processing is based on the individual’s consent or the performance of a contract.

The Right to Object

The right to object allows individuals to challenge the processing of their personal data in certain circumstances. This right is particularly relevant in situations involving direct marketing, where individuals can object to their data being used for promotional purposes.

When an individual objects to processing based on legitimate interests, an organisation must stop processing the data unless they can demonstrate compelling legitimate grounds that override the individual’s interests, rights, and freedoms. In cases involving direct marketing, however, the organisation must cease processing immediately upon receiving the objection.

Additionally, individuals can object to the use of their data for scientific or historical research purposes unless the processing is necessary for the performance of a task carried out in the public interest.

Rights Related to Automated Decision-Making and Profiling

The GDPR provides specific protections for individuals when their personal data is subject to automated decision-making processes, including profiling. Automated decision-making refers to decisions made by technological systems without human involvement, while profiling involves the automated processing of personal data to evaluate certain personal aspects, such as behaviour or preferences.

Data subjects have the right not to be subject to decisions based solely on automated processing if those decisions produce legal or similarly significant effects. There are exceptions to this rule, such as when the decision is necessary for the performance of a contract, authorised by law, or based on the individual’s explicit consent.

If an organisation engages in automated decision-making, it must implement measures to safeguard the individual’s rights, including the right to obtain human intervention, express their point of view, and contest the decision.

How to Exercise GDPR Rights

Exercising GDPR rights is relatively straightforward. Data subjects can submit a request to the organisation processing their personal data, either verbally or in writing. Organisations are required to respond within one month, although this can be extended by up to two months in certain complex cases. Importantly, individuals do not have to pay to exercise their rights unless their requests are manifestly unfounded or excessive, in which case the organisation may charge a reasonable fee or refuse to act on the request.

If individuals believe that their GDPR rights have been violated, they can lodge a complaint with a supervisory authority, typically in the country where they reside or where the alleged infringement took place. They also have the right to seek legal remedies if they believe their rights have been breached.

Conclusion

GDPR has fundamentally reshaped the way organisations handle personal data, placing individuals at the heart of data protection. By granting these eight key rights, GDPR empowers data subjects to take control of their personal data, ensuring that it is processed transparently, securely, and lawfully.

Understanding and exercising these rights is essential for protecting one’s privacy in the digital age. For organisations, compliance with these rights is not only a legal obligation but also a means of building trust and fostering positive relationships with customers. GDPR is more than a set of regulations—it’s a framework for ensuring fairness, transparency, and accountability in the digital landscape, offering a robust foundation for data protection in an increasingly data-driven world.

X