What are the rights of data subjects under GDPR?
GDPR regulates the processing of personal data. One of the ways it does this is by restating and increasing the rights of data subjects, including the rights to access their data, to have it amended or deleted, and to have processing halted.
In this article we will go through these rights, and what you will need to do if they are exercised.
Right to access data (Article 15)
A data subject has the right to request and receive confirmation of whether you hold their personal data. If you do, they have the right to request and receive a copy of the data you hold, as well the following information:
- The purpose(s) of the processing.
- The categories of personal data held.
- Who else (if anyone) the data will be transferred to. If you plan to transfer the data to a non-EU country or an international organization, you must also include the grounds relied upon to justify this (which we will look at in a later article).
- The period for which the data will be stored (or how this period will be determined).
- The data subject’s rights to have their data rectified, erased or transferred, or restrict or object to processing.
- The data subject’s right to complain about processing to a supervisory authority (see our article on penalties).
- The source of the data (where it was not received from the data subject).
- Whether the data will be used for any automated processing (including profiling) and if so, the logic of the processing and its significance and consequences for the data subject.
As you may have noticed, this list largely replicates the list of information you must provide upon obtaining the data (considered in the previous article). Unless any of this information has changed, it may well be enough to send them a further copy of the original privacy notice along with their data.
The exercise of this right should not be allowed to adversely affect the rights and freedoms of others. In particular, this may mean redacting any personal data of other data subjects which would otherwise be included in the data copy.
Where possible, you should provide data subjects with secure access to their data through a remote self-service system. If you process a large amount of information about the data subject, you are entitled to ask them to be more specific about what they are looking for.
Right to have data transferred (Article 20)
Where the personal data is processed on the ground of consent, and by automated means, the data subject has the following rights (above and beyond the standard right to access):
- The right to receive the data they have provided in a structured, commonly-used and machine readable format.
- The right to transmit this data to another controller without hindrance.
- The right, where technically feasible, to have this data transmitted directly from one controller to the other.
The clearest case where this will be applicable is where the data subject is looking to switch from one service provider to another. This essentially requires the old provider to make the switch as easy as possible for the data subject, including transmitting data directly where appropriate.
This right does not apply to processing necessary to perform a task in the public interest or in exercise of official authority. As with the right of access, it should not be allowed to adversely affect the rights and freedoms of others.
Right to have data rectified (Article 16)
A data subject has the right to have their personal data amended where it is inaccurate or added to where it is incomplete. The Regulation specifically mentions that it should be possible to accept and record a supplementary statement (for example, an explanation that a piece of data you hold does not have the implications it normally would).
As mentioned in the previous article, there is a wider obligation to keep your records accurate and up to date, which may include taking proactive steps even where the data subject has not exercised their right to rectify. In any case, you should make it easy for them to update their data, and you should process any updates speedily.
In some cases it may be appropriate to require evidence before rectifying data. For example, where the data subject does not have the right to have their data erased on request (see below), they could seek to achieve the same end by providing inaccurate “updated” data. Of course, any such obstacle to the exercise of the right will need to be kept to the minimum necessary to achieve this purpose.
Right to object to processing (Article 21)
A data subject has the right to object to the processing of their personal data, and have it stopped, if it is on the ground of necessity for the data controller’s legitimate interests, or necessity for performance of a task in the public interest or in exercise of official authority (see our article on lawful grounds).
This right therefore functions in a similar way to the withdrawal of consent (for processing based on consent). However, in this case the data subject should give a reason for the objection, based on their particular situation.
Also, unlike with the withdrawal of consent, the data controller has an opportunity to dispel the objection by demonstrating compelling grounds for the processing which override the data subject’s interests, rights and freedoms.
However, the Regulation explicitly states that there is no defence to an objection to direct marketing. Since this kind of processing will almost inevitably be based on either legitimate interests or consent, data subjects essentially have an absolute right to halt direct marketing.
Right to have data erased - “right to be forgotten” (Article 17)
A data subject has the right to request that you erase some or all of the personal data you hold about them. You are then obliged to do , but only if one of the following applies:
- The data is no longer needed for the purposes for which it was received or processed.
- The processing was based on consent, and the data subject withdraws that consent.
- The data subject successfully exercises the right to object (see above).
- The data has been unlawfully processed.
- EU or national law requires that the data be erased.
- The data was collected in relation to the offer of services online to a child (that is, in circumstances where consent would require parental consent authorization).
These grounds will cover many circumstances, although notably it will usually not affect data processed as necessary for the performance of a contract with the data subject. In addition, even if one of the above applies, you are not obliged to erase the data if:
- The processing is necessary for exercising freedom of expression or information.
- The processing is necessary for compliance with a legal obligation.
- The processing is necessary to perform a task in the public interest or in exercise of official authority.
- The processing is necessary for medical or public health purposes.
- The processing is necessary for archiving in the public interest, for historical or scientific research or statistical purposes.
- The processing is necessary to establish or exercise legal claims or defences.
Where the data controller has made the data public and this right applies, they must also take reasonable steps to inform other controllers working on the data that they should likewise delete it.
Right to restrict processing (Article 18)
In certain circumstances, a data subject has another, more short term right to prevent data controllers and processors from processing their personal data (with some exceptions). They have this right where:
- The data subject contests the accuracy of data held, while the data is verified.
- The processing is unlawful, but the data subject does not want the data erased.
- The data controller no longer needs the data, but the data subject needs it in order to establish or exercise legal claims or defences.
- The data subject has exercised the right to object (see above), while it is being determined whether the data controller’s legitimate interests override this right.
If any of these apply, then all processing on the data (other than storage) must stop, except to the extent that it further processing is by consent or done in order to establish or exercise legal claims or defences, to protect the rights of others or for reasons of important public interest. Once a restriction has been put in place, you must let the data subject know before it is lifted.
In most cases, data subjects will prefer to exercise the right to object or the right to be forgotten, with this acting only as a supplement to those rights.
General points
- Where a right is exercised, you should act without undue delay and within a month of the right being exercised. You can extend that by up to two months where necessary, although you will have to let the data subject know that you are doing so within a month.
- Any communication with data subjects as a result of the exercise of these rights must be clear, concise and intelligible. Where a request is made electronically, information should be provided in the same manner where possible. In other cases, it can be electronic, written or even oral (but only when requested).
- Where the data controller has reasonable doubts about the identity of the individual making the request, they may require further information as proof. Wherever information is requested to be given orally, the data controller must have evidence of the identity of the person asking before providing it.
- Any action should usually be taken free of charge. However, you are entitled either to charge a reasonable fee or refuse to act on a request where it is clearly unfounded or excessive (particularly if it is repetitive). In such a case, the burden will be on you to show that this is the case if, for example, the data subject complains to the supervisory authority.
- If you do not act within the required timescale, whether in error or because you believe the request to be unfounded or excessive, you must explain this to the data subject and let them know of their rights to complain to a supervisory authority or to take the matter to court.
- EU or national law may create further restrictions on the rights of data subjects on a number of public interest grounds.
Clearly, you will need to have policies in place considering how you will deal with any of these requests, to ensure that you are able to do everything required in the appropriate timescales. However, most of these rights are not entirely new, and in many cases, compliance should not be too onerous.
Next, we will look at a situation rather more worrying than receiving a request from a data subject — discovering that the data you hold has been breached. We will look at the obligations GDPR requires of you in these situations.
Get all 10 articles in our series about GDPR in our E-Book for free by clicking the link below: