Data subjects’ rights Flashcards
(22 cards)
Data subjects’ rights
The European Data Protection Regulation provides data subjects with rights
Art. 13-14 GDPR
Art. 15-22 GDPR
In addition,
It establishes mechanisms that enable data subjects to
challenge violations of their rights,
hold controllers responsible and
claim compensation.
Data subjects’ rights
1) RIGHT TO BE INFORMED
2) THE RIGHT TO LODGE A COMPLAINT
3) THE RIGHT OF ACCESS
4) RIGHT TO RECTIFICATION
5) RIGHT TO ERASURE
6) RIGHT TO BE FORGOTTEN
7) RIGHT TO RESTRICTION OF PROCESSING
8) RIGHT TO OBJECT
Data subjects’ rights
- RIGHT TO BE INFORMED
Controllers of processing operations are obliged to inform the data subject at the time when personal data are collected about their intended processing.
The controller must proactively comply with the obligation, regardless of whether the data subject shows interest in the information or not.
The transparency principle requires that any personal data processing should generally be transparent to individuals.
Data subjects’ rights
- RIGHT TO BE INFORMED
(Content of the information)
Under Art. 13 GDPR, when personal data are collected from the data subject, the controller is obliged to provide the following information to the data subject at the time the personal data are obtained:
- the controller’s identity and contact details, including the DPO’s details, if any;
- the purpose and legal basis for the processing, i.e. a contract or legal obligation;
- the data controller’s legitimate interest, if this provides the basis for processing;
- the personal data’s recipients or categories of recipients, if any;
- whether the data will be transferred to a third country or international organization, and whether this is based on an adequacy decision or relies upon appropriate safeguards;
Data subjects’ rights
- RIGHT TO BE INFORMED
(Content of the information - further information)
In addition to the information referred to in par. 1, the controller shall provide the data subject with the following further information:
- the period for which the personal data will be stored, and if establishing that period - is not possible, the criteria used to determine the data storage period;
- the data subjects’ rights regarding processing, such as the rights of access, rectification, erasure, and to restrict or object to processing;
- whether the provision of personal data is required by law or a contract, whether the data subject is obliged to provide his or her personal data, as well as the consequences in case of failure to provide the personal data;
- the existence of automated decision-making, including profiling;
- the right to lodge a complaint with a supervisory authority;
- the existence of the right to withdraw consent.
- In cases where the personal data is not obtained from the data subject directly, the data controller must notify the individual about the origin of the personal data.
- The controller must, among other things, inform data subjects about the existence of automated decision-making, including profiling.
- In cases where the data subject provided consent for the personal data processing, the controller must receive the data subject’s renewed consent if the data processing purpose changes or if further purposes are added.
Data subjects’ rights
- RIGHT TO BE INFORMED
(Different ways of providing information)
- concise, transparent, intelligible and easily accessible
- in writing, or by other means, including electronic means, using clear, plain and easily understandable language
- standardized icons to provide the information in an easily visible and intelligible manner
- data subjects can request to have the information provided by oral means.
- free of charge, unless the data subject’s requests are manifestly unfounded or excessive (i.e. of a repetitive nature)
- layered notices and information clauses on the controller’s home page
Data subjects’ rights
- RIGHT TO BE INFORMED
(Time of providing information)
- Where the personal data is obtained directly from the data subject,
The controller must notify the data subject about all of his or her related information and rights under the GDPR at the time the data are obtained.
- Where the personal data has not been obtained from the data subject directly,
The controller is obliged to provide the information about the processing to the data subject “within a reasonable period after obtaining the personal data, but at the latest within one month”, or before data are disclosed to a third party.
Data subjects’ rights
- THE RIGHT TO LODGE A COMPLAINT
The controller must inform data subjects about their right to lodge a complaint about a personal data breach with a supervisory authority and, if necessary, with a national court.
Data subjects’ rights
- Exemptions from the obligation to inform
if the data subject already has all of the relevant information;
where the personal data have not been obtained from the data subject, the obligation to inform will not apply if the provision of information is impossible or disproportionate;
Member States enjoy a margin of discretion under the GDPR to restrict obligations and rights provided to individuals under the regulation if this is a necessary and proportionate measure in a democratic society;
If an obligation of professional secrecy regulated by EU or Member States law applies.
Data subjects’ rights
- THE RIGHT OF ACCESS
Every data subject has a right to obtain (from the controller) confirmation as to whether or not data relating to him or her are being processed, and information about at least the following:
- processing purposes;
- categories of data concerned;
- recipients or categories of recipients to whom the data are disclosed;
- period for which the data is intended to be stored, or, if not possible, the criteria used to determine that period;
- existence of rights to rectify or to erase personal data, or to restrict personal data processing;
- right to lodge a complaint with the supervisory authority;
- any available information about the source of the data undergoing processing if the data are not collected from the data subject;
- in the case of automated decisions, the logic involved in any automated processing of data.
- The controller shall provide the data subject a copy of the personal data being processed
- Any information must be provided in an intelligible form
- Where automated decision-making is carried out, including profiling, the general logic involved in the automated decision-making will need to be explained, including the criteria which have been considered when evaluating the data subject
- It is essential that the data subject is informed, in an intelligible form, not only of the actual personal data that are being processed, but also the categories under which these personal data are processed, such as name, IP address, geolocation coordinates, credit card number, etc.
Data subjects’ rights
- RIGHT TO RECTIFICATION
- Inaccurate personal data must be rectified without undue or excessive delay
- If requests for rectification are linked to legally significant matters, the controller may be entitled to demand proof of the alleged inaccuracy
- The accuracy of personal data is essential to ensure a high level of data protection for data subjects
- Art. 16, phrase 1, GDPR:
the data subject has the right to obtain from the controller without undue delay the rectification of inaccurate personal data. - Art. 16, phrase 2, GDPR:
the data subject has the right to have incomplete personal data completed.
Data subjects’ rights
- RIGHT TO ERASURE
Under EU law, Article 17 of the GDPR gives effect to data subjects’ requests to have data erased or deleted.
The right to have one’s personal data erased without undue delay applies where:
a) the personal data are no longer necessary regarding the purposes for which they were collected or otherwise processed;
b) the data subject withdraws the consent on which the processing is based and there is no other legal ground for the processing;
c) the data subject objects to the processing and there are no overriding legitimate grounds for the processing;
d) the personal data have been unlawfully processed;
e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
f) the personal data have been collected concerning the offer of information society services to children pursuant to Article 8 of the GDPR.
Data subjects’ rights
- RIGHT TO ERASURE (Exceptions)
The GDPR defines exceptions to the right to erasure, including where the processing of personal data is necessary for:
- exercising the right of freedom of expression and information;
- compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- reasons of public interest in the area of public health;
- archiving purposes in the public interest, scientific or historical research purposes or statistical purposes;
- the establishment, exercise or defence of legal claims.
Data subjects’ rights
- RIGHT TO BE FORGOTTEN
(Art. 17, par. 2, GDPR)
When the controller has made the personal data public and is obliged to erase them, it shall take reasonable steps, including technical measures, to inform other controllers that are processing personal data that the data subject has requested to erasure.
Data subjects’ rights
- RIGHT TO RESTRICTION OF PROCESSING
Article 18 of the GDPR empowers data subjects to temporarily restrict a controller from processing their personal data.
Data subjects can request the controller to restrict processing where:
- the accuracy of the personal data is contested;
- the processing is unlawful and the data subject requests that the use of the personal data be restricted instead of erased;
- the data must be kept for the exercise or defence of legal claims;
- a decision is pending on the legitimate interests of the data controller prevailing over the interests of the data subject.
Data subjects’ rights
- RIGHT TO OBJECT
Data subjects can invoke their right to object to personal data processing on grounds:
- relating to their particular situation
- to data processed for direct marketing purposes
- for scientific or historical research purposes or statistical purposes
Data subjects’ rights
- RIGHT TO OBJECT
(The data subjects’ particular situations)
Article 21, par. 1, GDPR empowers the data subject to raise objections on grounds relating to their particular situation where the legal basis for the processing is the controller’s performance of a task carried out in the public interest, or where the processing is based on the controller’s legitimate interests.
The right to object applies to profiling activities.
The right to object on grounds relating to the data subject’s particular situation aims to strike the correct balance between the data subject’s data protection rights and the legitimate rights of others in processing their data.
The effect of a successful objection is that the controller may no longer process the data in question. Processing operations performed on the data subject’s data prior to the objection remain legitimate.
Data subjects’ rights
- RIGHT TO OBJECT
(for direct marketing purposes)
Article 21, par. 2, GDPR provides for a specific right to object to the use of personal data for the purposes of direct marketing.
The data subject has the right to object to the use of his or her personal data for direct marketing purposes at any time and free of charge.
Data subjects must be informed of this right in a clear manner, separate from any other information.
Data subjects’ rights
- RIGHT TO OBJECT
(by automated means)
Where personal information is used and processed for information society services, the data subject may exercise his or her right to object to the processing of his or her personal data by automated means.
Information society services are defined as any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services.
Data controllers offering information society services must have in place appropriate technical arrangements and procedures to ensure that the right to object by automated means can be exercised effectively. For example, this may involve blocking cookies on web pages or turning off the tracking of internet browsing.
Data subjects’ rights
- RIGHT TO OBJECT
(for scientific or historical research purposes or statistical purposes)
The GDPR balances the requirements of scientific, statistical or historical research and the rights of data subjects with specific safeguards and derogations in Article 89. Thus, Union or Member State law may provide derogations of the right to object insofar as such right is likely to render impossible or seriously impair the achievement of the research purposes, and if such derogations are necessary for the fulfilment of those purposes.
Data subjects’ rights
- AUTOMATED DECISION-MAKING
Automated decisions are decisions taken using personal data processed solely by automatic means without any human intervention.
Data subjects must not be subject to automated decisions which produce legal effects or have similarly significant effects.
Data subjects’ rights
- AUTOMATED DECISION-MAKING
(Exceptions)
(Art. 22, par. 2, a) to c), GDPR):
processing is necessary for entering a contract or the performance of a contract between the data controller and data subject;
processing is authorised by law and if the data subject’s rights, freedoms and legitimate interests are appropriately safeguarded;
the data subject gave explicit consent.
