Module 5 - Data Subject Rights

Question 1

What are a data subject’s eight rights under GDPR?

Answer 1

Right to:
- Access;
- Rectification;
- Stop processing;
- Erasure / ‘to be forgotten’;
- Portability;
- Restriction;
- Objection;
- Not to have decisions solely based upon automated decision-making / profiling.

Question 2

What does the right to access comprise (‘DSAR’)?

Answer 2

• Confirmation of processing and access.
• Processing-related information - purpose, data categories, recipients, retention period, any additional DS rights, source any any automated decision-making.

Question 3

How quickly must a DSAR be processed?

Answer 3

• Without undue delay and within one month.
• Two-month delay may be justified and confirmed for complex or burdensome requests.
• EDPB: Applicant need not provide a reason for the request.

Question 4

What are the limitations of a DSAR?

Answer 4

• DSAR must disclose requester.
• Manifestly unfounded or requests that request the access right are not competent.
• Request scope restricted by the third party rights and freedomes (recital 63, GDPR - trade secrets and IP similarly restricted from disclosure).

Question 5

What is the right to rectification under article 16, GDPR?

Answer 5

• Must be made without undue delay.
• May be made to CORRECT INACCURATE DATA or COMPLETE INCOMPLETE DATA.

Question 6

What is the right to data portability under article 20, GDPR?

Answer 6

• Available if CONSENT or CONTRACT PERFORMANCE used as lawful processing grounds.
• Extension of ACCESS RIGHT.
• Applicable only to DIGITAL DATA and cannot affect the rights and freedoms of others.
• Entails transfer of data to data subject or ANOTHER CONTROLLER in structured, commonly-used and machine-readable formatted data.
• Data portability does NOT TRIGGER ERASURE.

Question 7

What is the right of erasure and ‘to be forgotten’ under articles 17 / 19, GDPR?

Answer 7

• Comprises CESSATION OF PROCESSING and DELETION OF PERSONAL DATA.
• Not absolute right - exercisable only if:
  1. Data NO LONGER NECESSARY;
  2. If consent has been provided, CONSENT IS WITHDRAWN;
  3. If legitimate interests-based processing is relied upon, OBJECTION IS COMMUNICATED;
  4. Processing is UNLAWFUL;
  5. Consent is withdrawn for a child in relation to information society services; OR
  6. Compliance with EU and MS law.
• Right to have public data erased exists in terms of data made public by controller.
• Right requires notification to other link-hosting controllers that DS has requested erasure (Google Spain v. AEPD / Gonzalez).

Question 8

What does the right of restriction prescribe under article 18, GDPR?

Answer 8

• Ongoing storage of data without any other further processing.
• Reconciles a requirement to store data, with DS rights and any public interest.
• Once restricted, further processing only possible only with:
  1. New DS consent;
  2. To establish or defend legal claims;
  3. To protect another; or
  4. For important public interest reasons.
• Controller must inform DS before lifting restriction.

Question 9

What is the right to object to processing provided under article 21, GDPR?

Answer 9

• Relevant in three settings, where processing based upon:
  1. Public or legitimate interest - NOT ABSOLUTE - OVERRIDE POSSIBLE if controller proves COMPELLING, LEGITIMATE INTEREST that OVERRIDES DS INTERESTS, rights and freedoms.
  2. Research of statistical purposes - NOT ABSOLUTE - OVERRIDEN if processing NECESSARY FOR TASK PERFORMED IN PUBLIC INTEREST.
  3. Direct marketing - ABSOLUTE - marketing and profiling must cease.

Question 10

What are the exemptions to the right not to be subject to a decision or profiling based solely on automated processing (producing legal effects upon the DS or significantly affecting the DS) under article 22, GDPR? (/ profiling)

Answer 10

• Three chief exemptions:
  1. Explicit consent - check EDPB guidance;
  2. Necessity for conclusion or performance of a contract; or
  3. Relief under MS law.
• For special category personal data, two chief exemptions:
  1. Explicit consent - check EDPB guidance; or
  2. Substantial public interest based upon EU or MS law.
• SAFEGUARDS must be put in place; the right is particularly robust for processing of children’s data.
• EDPB guidance - provide MEANINGFUL INFORMATION ABOUT LOGIC involved; consider use of PROFILES TO ALLOW DS CORRECTION OF INACCURACIES; explain RIGHT TO OBJECT.