The GDPR was adopted to empower data subjects and give them complete control over their personal data.
It’s no surprise, thus, that a whole section of the Regulation (Chapter 3) is dedicated to the rights of the data subject.
These rights are:
- The right to be informed;
- The right to access their personal data;
- The right to rectification;
- The right to be forgotten;
- The right to restrict processing;
- The right to data portability;
- The right to object to the processing;
- The right to special guarantees concerning automated decision-making and profiling.
In this article, we’ll explore what each of these rights entails for the data subject – and which obligations arise for you, the data controller.
Right to be Informed
We’ve seen when discussing consent how much the GDPR values transparent, timely information. It’s no surprise, thus, that the first right we encounter is the right to be informed.
Articles 12, 13 and 14, GDPR, design a pretty complex system the data controller has to adhere to.
To make a long story short (but check out our article if you want to know more), as a data controller, you must tell the data subject in plain and unambiguous language:
- Who is collecting and processing the data (meaning that you have to disclose the controller’s identity and contact information);
- Which categories of personal data are concerned;
- What’s the purpose of the processing;
- What are the legal bases underpinning the processing activities;
- Whether there’s a third party involved in the processing;
- Whether you intend to transfer the personal data to a third party or international organization;
- How long you intend to keep the data (data retention period);
- What are the rights the data subject enjoys under the GDPR (yeah, it’s a bit meta);
- That the data subject has the right to file a complaint, and
- Whether you intend to rely on automated means in your decision-making process.
Right of Access
Under Article 15, GDPR, data subjects have the right to submit an access request to any organization processing their personal data.
When that’s the case, data controllers must confirm whether they are processing data related to the individual who lodged the request.
If the processing is taking place, data controllers are required to provide the data subject with a copy of their personal data and to spell out the following:
- the purpose of the processing;
- the categories of personal data concerned;
- with whom the data is shared (third countries or international organizations)
- the data retention period;
- which other rights the data subject enjoys (with particular emphasis on the right to rectification, right to erasure, restriction of processing, and the right to lodge a complaint);
- the existence of automated decision-making, including profiling
- how the data was collected (when the data was not collected directly from the individual).
All information must be in plain language: avoid jargon or technical abbreviations.
Right of Rectification
As stipulated by Article 16, data subjects have the right to ask data controllers to update their personal data if it’s inaccurate or incomplete.
A simple request is often sufficient, and the data controller must rectify the data without delay.
However, when legally significant matters are concerned, data controllers have the right to demand proof of the alleged inaccuracy.
Right to be Forgotten
According to Article 17 GDPR, data subjects can ask the data controller to erase their personal data when:
- The data is no longer necessary to fulfill the purpose for which it was collected;
- The legal basis for processing the data was consent, and that consent has been withdrawn;
- The processing was unlawful;
- The data subject objects to the processing (see below), and the controller has no reason to continue with it; or
- The data must be deleted to comply with a legal obligation (under EU or Member State law).
Data controllers can decline the request in a limited number of cases (for example, if they must retain the personal data to comply with a legal obligation).
Otherwise, they must promptly comply.
If data controllers have shared the data with third parties or made it public, they must take “reasonable steps” to inform all the concerned parties of the data subject’s request so that they, too, can erase the personal data.
Right to Restrict Processing
In some cases, rather than having their data deleted, data subjects may request a restriction of processing activities.
When that happens, data controllers are not required to delete the data, but they cannot process it in any other way (and it’s a good time to remind you that “processing,” under the GDPR, is a fairly broad notion).
The GDPR, however, doesn’t allow data subjects to exercise their right to restrict processing at will. This option is only available:
- During the rectification process, if the data is inaccurate;
- If the processing is unlawful, but for whatever reason, the data subject doesn’t want the data to be erased;
- If the data subject needs you to preserve the data to exercise a legal claim;
- The data subject has objected to processing based on your legitimate interest, and a decision is pending.
If any of the former applies, as a data controller, you must stop processing the restricted data. You are only allowed to process the data again if the data subject gives you their consent or if the information is needed to exercise a legal claim or to protect the rights of a natural person (not necessarily of the data subject).
Right to Data Portability
The right to data portability is one of the novelties introduced by the GDPR. It allows data subjects to move their personal data from one organization to another.
When data controllers receive a request for data portability, they have to present data subjects with their personal data, organized in a structured, commonly used, and machine-readable format.
Alternatively, data subjects can ask data controllers to transfer their data directly to another controller.
The right to data portability only applies when three cumulative conditions are met:
- The data was provided by the data subject (not otherwise obtained by the data controller);
- The legal basis is either consent or the performance of a contract;
- The processing is carried out by automated means: paper records remain excluded.
Right to Object to Processing
The right to object, enshrined in Article 21 GDPR, allows data subjects to (you guessed it) object to the processing of their personal data.
Data subjects can invoke the right to object without limitations when their personal data is processed for marketing purposes.
In all other cases, data subjects can only exercise their right to object if the legal basis for processing their personal data is either
- the performance of a task carried out in the public interest or in the exercise of official authority, or
- the controller’s legitimate interest.
When data controllers receive a valid objection, they must stop processing the personal data in question.
There are, however, two exceptions to this rule (neither of which applies when the data is processed for marketing reasons). The processing can go on if:
- The data controller can demonstrate compelling reasons that override the interests of the data subject or;
- The personal data is needed for the establishment, exercise, or defense of a legal claim
Right to Special Guarantees Concerning Automated Decision Making and Profiling
Thanks to technological developments, it’s not uncommon for data processing to be completely automated.
However, the GDPR allows data subjects to refuse to be subjected to a decision based solely on automated processing when this decision produces legal effects or similarly affects the data subject.
There are a few exceptions to the rule. Article 22 GDPR clarifies that the data subject cannot refuse to be subjected to the automated decision when:
- The decision is necessary for entering into, or performance of, a contract between the data subject and a data controller;
- The decision is authorized by Union or Member State law; or
- The decision is based on the data subject’s explicit consent.
No Digital Sovereignty? No Rights for the Data Subject
As you have seen from our brief recap, the GDPR grants data subjects a significant amount of rights – and, conversely, creates quite a few obligations for the data controller.
We’ll discuss these obligations in the upcoming articles. But, for now, keep one thing in mind: to comply with Chapter 3, GDPR, data controllers must remain in control of the personal data entrusted to them.
There’s no way to erase data you no longer possess. There’s no way to restrict the processing if you’re no longer the only entity processing that data. And there’s no way to correctly inform a data subject if you don’t even know what your processors are doing with the data.
Want to know more about data sovereignty – and why it’s crucial for your organization? Read our article.
Ready to try a GDPR-compliant product? Check out Carbonio.