Toolkit for the EU GDPR – 3) Individual Rights

published on February 14, 2018

This note is an overview of the rights of individual data subjects under the GDPR. The GDPR enhances the rights provided under the current UK Data Protection Act 1998 and provides individuals with further rights such as the right to erasure, the right to restrict data processing (under certain circumstances) and the right to data portability. These rights will explored in further detail within this toolkit.

Individual rights

The individual rights provided by the GDPR can be broken down as follows: 

• The right to be informed;

• The right of access;

• The right to rectification;

• The right to erasure;

• The right to restrict processing;

• The right to data portability;

• The right to object; and

• Rights in relation to automated decision making and profiling.

Data subjects should be made aware of their rights and it is recommended that clear processes are in place in order to deal with any individual requests properly and within the time frames set out in the GDPR which need to be adhered to.

 
Any requests made by the data subject should be actioned without delay and at the latest within one month of receipt. This period can be extended by a further two calendar months if the request is complex or numerous however the individual requesting their personal data should be made aware that an extension is required within the initial one calender month period (and should receive reasons as to why an extension is needed). These reasons must be genuine. Further, if the time frame is being extended, the data controller should  inform the data subject of their rights to complain to the supervisory authority (in the UK this will be the I.C.O) and seek judicial remedy.

It is therefore important to have internal procedures in place to be able to deal with any requests within the time period.

What do these rights mean?

The right to be informed

The GDPR emphasises the need for transparency over how personal data is used. The right to be informed relates to the GDPR principle of processing personal data in a lawful, fair and in a trans-parent manner (please see our toolkit on the six principles of the GDPR ). The data subject has the right to be informed of how and why their data is being processed. The information which should be provided will vary depen-ding on whether the personal data is obtained directly  or indirectly from the data subject.

With regards to collecting personal data directly from an individual, the data controller should provide the following information (before collecting the personal data):

• Their identity and contact details (or, if applicable EU representative’s details);
• Their Data Protection Officer‘s contact details (if applicable);
• The purposes for which they are processing personal data (including their legal basis for processing the data and any justification for processing this data);
• Who the recipients of any personal data will be;
• Whether there is an intention to transfer any personal data outside of the jurisdiction and on what basis this transfer is legal;
• How long they will store the personal data for;
• Whether the individual must provide the personal data, for example, to enter into a contract or for other legal grounds. The consequences of the individual not providing their personal data should also be ex-plained (i.e. cannot enter into the contract without delivery address);
• Whether they use automated decision making and, if so, how this is used and the consequences for the individual; and
• The individuals‘ rights including how to withdraw their consent and make a complaint.
• This information should be concise, transparent and easily accessible. It is important that it is easily legible and written in clear and plain language so that it can be understood by the data subject. This information must also be provided free of charge.

If the data controller intends to use the personal data for a purpose different than it originally collected it for, it must provide notice of the new purpose to the data subject before processing the personal data for this purpose.

This right to be informed also includes right to be informed of any data protection breach.

The right of access

Data subjects have the right to access their personal data and other supplementary information. This supplementary information is set out in article 15 of the GDPR and includes confirmation that their data is being processed.

Before actioning a subject access request, the identity of the individual making such request should be verified using ‚reasonable‘ means. It is important that personal data is not disclosed to someone who does not have the right to see it. This would be a breach of security under GDPR. As outlined below, under the GDPR there is an accountability requirement, it is therefore important to be able to demonstrate that there are procedures in place to prevent a breach of security.

Under the GDPR rules, information requested should be provided free of charge (previously the data controller was able to charge an admin fee of up to £10). This being said, a data controller may charge a reasonable fee in dealing with requests which are manifestly unfounded or excessive (there is also an option to refuse to provide the information in these circumstances however this toolkit will not look into the scope of circumstances where this applies or what is considered unfounded or excessive). A fee may also be charged if the data controller is asked to provide further copies of the same information (within the same subject access request). Any fee charged must be based on the administrative cost of providing the information.

The GDPR provides that information requests made electronically should have the information provided in a com-monly used electronic format (unless the data subject requests otherwise). Further the GDPR recommendations, where practicable, that data is provided to the subject using a remote and secure service that allows the individual direct access to their personal data (i.e. an electronic data room) however, in practice, this may not be suitable for all organisations.

The right to rectification

The data subject has the right for any personal data processed to be correct, up to date and complete. The data subject may therefore request that any personal data held is amended.

If a data subject makes a request to have their personal data amended (on the basis that it is inaccurate or incom-plete) the data controller should respond to such a request within one calendar month. As with the time frames for right of access above, this time limit may be extended by a further two calendar months if the request is complex, however, the data controller should inform the data subject that this is the case within the initial one calendar month period.

As with subject access requests, there will be circumstances where the data controller may not rectify the informa-tion held (however the details of this will not be discussed within this toolkit). In this scenario, the data controller must inform the data subject of their rights to complain to the supervisory authority (in the UK this will be the I.C.O) and seek judicial remedy.

It is important to note, that if any rectification of the data subject‘s personal information is completed, any personal data which has been transferred or disclosed to third parties should also be amended. Therefore, where possible, the data controller should notify the third party of these amendments.

The right to erasure

This is also known as the right to be forgotten. In the following circumstances the data subject may request that their personal data is erased:

• The processing of the data subjects personal data is no longer necessary for the purpose for which the data controller collected it for;
• The data subject has withdrawn their consent for the processing of their personal data and no other lawful basis for processing the personal data or no overriding legitimate interest applies;
• The data subject wishes to have their personal data erased for the purposes of direct marketing;
• The data controller is unlawfully processing the data subject’s personal data (in breach of the GDPR);
• The data subjects personal information has to be erased in order to comply with a legal obligation; and/or
• The personal data is processed in relation to the offer of information society services (online services) to a child.

Once a data subject requests erasure for one of the above reasons, the data controller must erase it without delay unless continued retention is necessary for:

• Exercising the right of freedom of expression and information;
• Complying with a legal obligation under EU or member state law;
• The performance of a task carried out in the public interest;
• Exercising official authority vested in the data controller;
• Public health reasons consistent with the exceptions for processing sensitive personal data such as health information;
• Archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, under certain circumstances; and/or
• The establishment, exercise, or defence of a legal claim (however personal data should not be held on the basis that there may be a legal claim in the future).

If the data subject’s right of erasure applies and the data controller has disclosed the personal data to third parties, the data controller must inform the third party that the data should be erased (unless this is impossible or is dis-proportionate in the circumstances).

The right to restrict processing

Data subjects may request that the processing of their personal data is restricted in the following circumstances:

• If the data subject contests the accuracy of their personal data, the data controller must restrict processing the contested data until the data’s accuracy can be verified;
• If the data controller is unlawfully processing the data subject’s personal data, instead of the using their right of erasure, the data subject may request that the processing of their personal data is restricted ;
• If the data controller no longer requires to process the personal data however the data subject requires the personal data for the establishment, exercise or defence of a legal claim; or
• If the data subject objects to the processing of their personal data (please see right of objection) however the data controller is processing the data subject’s personal data on the basis that it is necessary for the performance of a public interest task or on the basis of a legitimate interest; the data subject can request that processing of their personal data is restricted whilst the data controller considers whether legitimate grounds for processing override the rights of the individual.

During this restriction period, the data controller may continue to store the personal data however they can no longer actively process it. The data controller is however, able to hold enough data to note on their file that a restriction on processing is in place, to establish, exercise or defend legal claims, to protect the rights of another individual (legal or corporate) or for important public interest purposes. If the data controller has disclosed any of the data subject’s personal data (which is subject to the restriction) to a third party, the third party should be notified of this restriction unless it is impossible or disproportionate to do so. Again, there are strict time frames to comply with.

The right to data portability

The right to data portability is a new right which is being introduced by the GDPR. It will allow data subjects to re-use their personal data across different organisations by moving their personal data from one IT systems to another (where possible). This must be done in a safe and secure way. There is no obligation on a data controller to adopt technical systems which are compatible with other organisations.

This right to data portability only applies to personal data which is automated and is being processed on the grounds of the individual’s consent or for the performance of a contract.

 
If the personal data concerned has data regarding more than one individual, it must be determined whether pro-viding the personal data in question could prejudice the rights of the other individuals.

The right to object

The GDPR provides data subjects with the right to object to data processing under certain circumstances, including, but not limited to:

• For direct marketing purposes; and/or
• For scientific, statistical or historical research (unless the research is carried out in the public interest).
   

Rights in relation to automated decision making and profiling

Data subjects have the right to not be subject to automated decision-making, including profiling, which has legal or other significant effects on the data subject. This right does not apply when the automated decision is:

• Necessary for entering into or performing a contract with the data subject;
• Authorized by EU or member state law applicable to the data controller if the law requires suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or
• Based on explicit data subject consent.

 
If the data controller is processing personal data by automated means, they must provide any personal data in a commonly used and computer readable format.

Accountability and documentation

The GDPR creates an accountability obligation where the data controller must be able to demonstrate their com-pliance with the GDPR through evidence.  This requires more than having policies in place. It is recommended that employees receive training on data protection matters (including internal policies), that policies are tested to ensure they are effective (and any test results are used to demonstrate continuous improvement) and that the technology and processes used are reviewed to ensure it is sufficient to ensure compliance with the GDPR. Any documentation which evidences compliance with the GDPR should be kept.