Latest posts by Aastha Tandon (see all)
- Can’t You Hear Me? - October 10, 2018
- GDPR: A Comprehensive Data Protection Regulation and its Impact on Individuals and Business Worldwide: Part IV Conclusion on GDPR - May 15, 2018
- GDPR: A Comprehensive Data Protection Regulation and its Impact on Individuals and Business Worldwide:Part III Compliances for Businesses - May 15, 2018
Part II of this Series Article focuses on the rights provided to Data Subjects or Individuals whose data is being collected and processed. (Click here to view Part I of this Series Article)
Part II GDPR Empowering Individuals
What are the rights of an Individual or a data subject?
GDPR is aimed at empowering the right of an individual or data subject (whose data is being processed) and it has specifically defined these rights in Chapter 3 (Articles 12 -23)[i] of GDPR. These rights[ii] are as follows:
- The right to information – The data subject is to be informed and may seek information regarding the data being processed.
- The data controller must provide details regarding the data controller’s identity, the purpose of data processing, the data categories concerned, the recipient of the data, the type of processing (automated or not) and the legislative right of the individual/data subject to access and/or rectify personal data.
- The data controller must provide information about the envisaged retention period[iii] of the personal data, the right to withdraw consent at any time and the right to file a complaint.
- It is pertinent to note that GDPR requires that such information is provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language.[iv]
- The right of access – an individual may file a subject access request (SAR) to obtain a copy of his or her personal data or any of the information provided in the above point.
- For any further copies requested a reasonable fee based on administrative costs may be levied on the individual.
- Any information pertaining to the transfer of personal data to a third country or an international organization along with the necessary safeguards shall also be provided to the individual.
- The right to rectification – The GDPR continues to provide an individual with a right to correct errors or complete data previously incomplete and being processed either by the data controller or someone on its behalf.
- The right to erasure (or the right to be forgotten) – In Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González[v] (Case C-131/12), the European Union’s Court of Justice (CJEU) recognized this new right and acknowledged it. The same was inserted as Article 17 under the GDPR regulation and its scope was broadened. In order to comply with this law, the controller needs to take appropriate steps with regards to technological as well as cost implementations. This right permits erasure of personal data on several grounds. Some of these grounds are as follows:
- when the personal data collected or processed is no longer needed as its purpose has been achieved
- if the individual has withdrawn consent to process data
- when the data subject has objected to the processing and there is no legitimate ground for processing
- when personal data is being processed for direct marketing purposes
- unlawful processing of personal data
- when it is a compliance under a legal obligation stated by the Union or Member State laws of the controller
- when information related to a child has been collected in relation to the offer of information society services.[vi]
- Here child refers to a person of the age of at least 16 years and has given consent to process personal data for one or more specific purposes, or
- A child who is below 16 years and his or her parent has given or authorized such consent.
- The meaning of child may differ in each Member State law, however, the lower age shall not be below 13 years.
- Time limits – Under this new regime, the controller needs to respond to a SAR in a period not extending a month. Therefore, it is essentials for organisations to implement a policy or a procedure where they comply with this requirement.
- The right to restrict processing – A new right created under the GDPR. Under this right the individual may request the data controller to stop processing his or her personal information. Such restriction can be requested in case the information or data provided is inaccurate or unlawful or it is pending a decision on a complaint lodged by the individual. In such a situation the data can be stored but not processed.
- The obligation to notify relevant third parties – In case the personal data of an individual has been shared with a third party and such individual has exercised his right of rectification, erasure, or restriction, then the data controller will have to inform such third party that the individual has exercised his right and hence his data cannot be processed. However, it must be noted that if it is impossible or involves disproportionate effort to convey this message to the third party, then the data controller is exempted from this obligation. This obligation is far more complicated for organisations that disclose personal data to a large number of third parties.
- The right to data portability[vii] – This is a new feature which permits data transfer between two data controllers directly without hindrances as well as it allows the data subject to receive from the data controller a copy of the personal data in a commonly used machine-readable format.[viii] Also, the personal data can be stored by the individual for further use on private devices.
- The right to object[ix] processing – According to the GDPR, the data subject has a right to object on the processing of personal data on grounds relating to their personal interest where the basis of processing is either public interest or legitimate interest of the controller.
- In this scenario, the burden of proof is on the organization or the data controller to prove that it either has a compelling ground for continuing the processing or that the processing is essential as it is connected with its legal right.
- If the data controller fails on proving the relevance of the processing then such processing activity ceases.
- The right to not be evaluated on the basis of automated processing – The GDPR has not made much change in this right when compared to the 1995 EU Data Protection Directive. An individual retains the right to not be subject to any decision that is based solely on automated processing which will significantly affect him or her.
- The right to bring class actions – Under this right the data subjects have the right to collectively be represented via not-for-profit bodies that can file a complaint on behalf of them with the Data Protection Authority for judicial remedies against data controllers and processors. Thus, the chance of litigation suits against organisations has increased.
The GDPR has increased the responsibility and obligations of organisations storing, controlling or processing personal data. On violation of the obligations enlisted under the GDPR the organization shall be imposed with a fine up to 20 000 000 EUR or up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.[x]
[ii] Rights of Data Subject under the GDPR, Time Hickman and Dr, Detlev Gabel, https://www.scl.org/articles/3575-rights-of-data-subjects-under-the-gdpr last seen on 28th April 2018; GDPR – (New) rights of the data subject, https://www.loyensloeff.com/en-us/news-events/news/gdpr-new-rights-of-the-data-subject last seen on 28th April 2018, Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation, Dr. Detlev Gabel and Tim Hickman , https://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation last seen on 28th April 2018.
[iii] GDPR – (New) rights of the data subject, Loyens & Loeff, dated 25th August 2016, https://www.loyensloeff.com/en-us/news-events/news/gdpr-new-rights-of-the-data-subject last seen on 28th April 2018
[v] Under this judgment this obligation was imposed only on internet search engines.
[vi] See Article 6(1) and Article 8(1) of the GDPR to understand the meaning of child.
[vii] WP29 guidelines on the right to data portability in the GDPR, https://iapp.org/media/pdf/resource_center/WP29-2017-04-data-portability-guidance.pdf last seen on 28th April, 2018
[viii] Rights of Data Subjects under the GDPR Time Hickman and Dr, Detlev Gabel, https://www.scl.org/articles/3575-rights-of-data-subjects-under-the-gdpr last seen on 28th April 2018
[ix] Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation, Dr. Detlev Gabel and Tim Hickman, https://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation last seen on 28th April 2018.