Data Subject Rights Flashcards
(28 cards)
List data subject rights under GDPR
Rights to:
Access and rectification
Data portability
Erasure
Restriction of processing
Object to processing
Decisions based on automated processing
Right to access and rectification (include GDPR article)
Article 15
Provides data subject with entitlements to certain information, obtainable from the controller upon request. Obtaining this information should be free of charge for the data subject, unless the controller is asked to make additional copies of data, in which case, a reasonable admin fee may be charged.
What is the controller obligated to do with the right to access and rectification?
Verify the identity of the data subject and then once verified, provide the data in the same form it was requested
What are some suggestions for the controller to have in place to comply with the right to access and rectification?
Not required, but having procedures in place for employees to follow in the handling of subject access and rectification requests can help ensure compliance. Procedures may concern the allocation of responsibilities, rules around authentication of the person making the request, the manner for submitting a request, the types of data that may not be disclosed, time limits for a response, and/or how to handle special circumstances. Companies should also make sure to have training, and sufficient resources in place, and a monitoring plan to ensure compliance
What are some potential limitations to the right to access and rectification?
As set out in Article 16: the controller needs to take reasonable steps to verify the requester. Also includes the need to protect others’ rights and freedoms, including the data controller.
Personal data of a data subject that reveals personal data of another individual or that exposes confidential information may be exempt from disclosure.
What does the GDPR allow data subjects to access in addition to a copy of their personal data?
Details that were provided up front in the privacy notice, including:
Confirmation of processing (i.e. confirmation that the personal data is being or was processed)
The purpose of the processing (why)
The categories of personal data processed (what)
Recipients or categories of recipients of the personal data (in particular those in third countries or in international organizations) (who)
The retention period or criteria used to determine the period (when)
Information about data subject rights to: rectification, erasure, restriction, object to processing, and lodge complaints with a supervisory authority.
Any information about the source of the data (if not the data subject)
The existence of automated decision-making and information about the logic involved and the consequences
Info about appropriate safeguards for data transferred to a third country or international organization
Right to rectification timeline
Without undue delay, generally within one month
Up to two additional months with notification to the data subject with reason for the delay within one month of the request
What must occur if the controller decides not to rectify the data?
Must provide the data subject the reason for not rectifying without undue delay and within one month of the request, and the data subject has the right to lodge a complaint with a supervisory authority and seek judicial remedy
What is the right to data portability?
Right for an individual to write to an organization and request a copy of the information in a commonly structured and machine readable form
When does the right to data portability apply?
Narrow applicability. It only applies if:
-the basis for processing is 1) consent or 2) contractual necessity
And it is only related to electronic processing and to personal data from the data subject, collected from the data subject themselves (not data derived/inferred from the data provided)
What are the controller’s obligations with the right of data portability?
To provide the data in a structured, commonly used and machine readable format AND to help the individual transfer the data to another organization
What is the purpose of the right to data portability and what are some benefits?
- The right for data subjects to “obtain and re-use ‘their’ data for their own purposes across different services
- Benefits: consumer empowerment, opportunities for innovation, and opportunities for sharing of personal data between data controllers in a safe and secure manner under the control of the data subject
What does the exercise of the right to data portability allow?
What is the right to be forgotten/erasure (include article)?
Article 17
Provides data subject right to request that their data be erased and therefore, no longer processed.
When may a data subject request erasure?
Data subjects may request erasure if:
- The personal data is no longer processed for the purpose in which it was collected
- The processing is based on consent and the data subject withdraws that consent
- If the processing is based on the controller’s legitimate interest and the data subject objects to the processing
- If the processing is unlawful
- If the data must be erased for compliance with EU or member state law
- If consent was given when the data subject was a child and the consent is withdrawn
What are exemptions to the right to erasure?
Member states may create exemptions for national security, crime prevention, and protection of others’ rights and freedoms (including the controller’s)
Compliance wit EU or member state law for a task in the public interest or as part of the controller’s official authority
Public health purposes
Archiving in the public interst, scientific or historical research, or statistical purposes (if erasure seriously impairs the objectives)
Establishment, exercise, or defense of legal claims
Also the exercise of the right of freedom and information
Recital 66 to the GDPR (and potential difficulties)
Recital 66: Third-party follow up on the right to erasure
Applies when data has been made public by a controller.
If the data subject requests erasure in this case, the original controller must take reasonable steps to inform the controllers which are processing such personal data to erase any links to, or copies or replications of those personal data.
Potential difficulties:
Determining all of the data’s recipients, informing all other controllers (which may result in increased exposure), and objections from controllers based on the fundamental right to freedom of expression and information
What is the right to restriction of processing (include article)?
Article 18
Right to Restriction:
Allows for personal data to continue being stored without being further processed. Provides an alternative to erasure if storing:
-is legally required
-ensures the protection of another person’s right
-is in the public interset
Article 4(3) defines restriction as: “the marking of stored personal data with the aim of limiting their processing in the future”
What are some possible methods of restricting the processing of data?
Possible methods of restriction (not mandated):
- making the personal data temporarily unavailable
- noting the restriction in the system
- moving the data to a separate system
- using the data under narrow conditions
When may a data subject request restriction of processing?
Data subjects may request restriction if:
- the accuracy of the data is contested and controller needs time to verify accuracy
- the processing of data is unlawful, but data subject prefers restriction to erasure
- Data is not needed by controller, but needed by data subject for legal claims
- Data subject objects to further processing pending the controller’s attempt to verify legitimate grounds
When is restriction an alternative to erasure?
Provides an alternative to erasure if storing:
- is legally required
- ensures the protection of another person’s right
- is in the public interest
What is a controller’s obligation to the data subject when lifting restriction?
Must inform a data subject before a restriction on processing is lifted
Exceptions to the restriction on processing
Once restricted, personal data can only be processed with new consent from the data subject to:
- exercise or defend legal claims
- protect the rights of another person
- for public interest reasons
When is the right to object applicable (include article)
Article 21
Only applicable if the data processing fall into one of three categories:
1) Direct marketing: data subject may object at any time to the processing of their personal data for direct marketing purposes. This right is absolute and should cause the controller to cease processing. Includes restricting profiling.
2) Public interest or legitimate interests: May object to processing based on the public interest or the controller’s legitimate interests based on grounds related to the individual’s particular situation. The controller then has the burden to demonstrate that it has compelling legitimate interests for processing the data that override the individual’s interests, rights and freedoms.
3) Research or statistical purposes: May object to processing based on these purposes on grounds relating to their particular situation. The right is overridden if the processing is necessary for the performance of a task carried out in the public interest.
