All natural persons whose personal data is processed by a Data Controller (DC) or Data Processor (DP) within the territorial scope of the GDPR, are Data Subjects and hence entitled to these rights.
Useful? Embed this infographic on your website.
The DC is responsible for allowing data subjects to exercise their rights and to ensure that they can make effective use of them. In that sense, it’s not only allowing the data subjects to exercise their rights but also to ensure their effectiveness. For instance, to allow a Data Subject to object the processing without providing all the information about the processing, wouldn’t ensure the effective use of his/her right.
Also, the DP shall observe and commit to the protection of the data subjects’ rights in line with article 28 (3)(h) GDPR.
The modalities applicable for the exercise of the rights
Provide all the information relating to the processing of their personal data in a clear and understandable language, free of charge and without undue delay and in any event within 1 month of receipt of the request.
Main Recital: 58 and 59 / Restrictions: Art.12 (2) and (5) (b)
Right to be informed
Provide the information listed in the GDPR to be supplied to the Data Subject depending on whether the data have been obtained from the Data Subject himself/herself (Art. 13) or not (Art. 14).
Main Recital: 60 / Restrictions: Art.13 (4) and Art.14 (5)
Right of Access
It is divided into two parts: (i) provide confirmation whether or not the personal data are being processed and, if applicable, (ii) provide access to the Data Subject own data and the information stated in article 15(1) GDPR, e.g. the purpose of the processing, categories of data concerned, recipients to whom the data are disclosed and the logic involved in any automated decision concerning them.
Main Recital: 63 / Restriction: Art.15 (4)
Right to Rectification
Allow the rectification of inaccurate data. This right applies to objective and factual data and includes the right of the Data Subject to supplement additional data.
For example, in case of a conduct evaluation, the Data Subject cannot ask for rectification of the data since it is a subjective assessment. However, the Data Subject can require the addition of information such as the annual performance appraisal or a second expert opinion to complete his/her data.
Right to Erasure (“right to be forgotten”)
Erase the personal data when the Data Subject no longer wants her/his data to be processed and provided that there are no legitimate grounds for retaining it.
According to the Judgment of the Court (Grand Chamber), 13 May 2014. Google Spain SL and Google Inc. v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González, “the right to erasure applies not only from the fact that such data are inaccurate but, in particular, also from the fact that they are inadequate, irrelevant or excessive in relation to the purposes of the processing, (…)”
As any other right is not an absolute one. Hence, it will always need to be balanced against other fundamental rights as for instance, freedom of expression or historical or scientific research.
Main Recitals: 65 and 66 / Restriction: Art.17 (3)
Right to Restriction of Processing
Impede the processing of the personal data when required in accordance with article 18 GDPR, e.g., the accuracy of the personal data is contested or the processing is unlawful, or the result of an objection is pending.
Where processing has been restricted the DC can only store the personal data and no further processing can take place; unless, the Data Subject provides consent or for the establishment, exercise or defence of legal claims or protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
Main Recital: 67 / Restriction: Art.18 (2)
Notification Obligation regarding rectification or erasure of personal data or restriction of processing to recipients
Notify any rectification or erasure or restriction of processing carried out to each recipient to whom the personal data have been disclosed; unless this proves impossible or involves a disproportionate effort.
The DC shall inform about the recipients if the Data Subject requests it.
Right to Data Portability
This right applies if the processing is carried out by automated means and Data Subject provided personal data on the basis of his or her consent, or the processing is necessary for the performance of a contract. Under those conditions, if the Data Subject requests it: (i) provide with the data received by the DS in a structured, commonly used and machine-readable format and, (ii) allow the transmission of the data to another DC.
Main Recital: 68 / Restriction: Art. 20 (3) (4)
Right to Object
Where the processing is carried out in the public interest or in the exercise of official authority vested in the DC, or on the grounds of the legitimate interests of a DC or a third party, or for direct marketing, including profiling, inform and provide to the Data Subject the option to object the processing.
When processing has been objected, the DC is obliged to quickly respond and demonstrate compelling legitimate grounds for the processing which override interests, rights and freedoms of the Data Subject or for the establishment, exercise or defence of legal claims.
Main Recital: 69, 70 / Restriction: Art. 21(1) (6)
Automated individual decision-making including profiling
Do not impose a decision based solely on automated means, including profiling, which produces legal effects concerning the Data Subject or similarly significantly affects him or her; unless, is necessary for entering into, or performance of a contract between the DC and Data Subject or is based Data Subject’s explicit consent or is authorised by Union or Member State Law.
In any case, such processing should be subject to suitable safeguards. Which should include at a minimum, the provision of specific information to the Data Subject, the right to obtain human intervention, to the possibility of the Data Subject to express his/her point of view, to obtain an explanation of the decision and to be able to challenge it.
This measure should not concern a child.
Main Recital: 71 / Restriction:Art.22 (2) (4)
OTHER KEY POINTS TO KEEP IN MIND:
- Other Rights: Art.34, the right to receive a communication regarding a personal data breach without delay; Art. 7, the right to withdraw consent at any time; Art. 82, the right to receive compensation for any damage suffered.
- Time Limits: the DC must ensure that data subjects can effectively exercise their rights within the legally required time limits.
- Restriction:Union or Member State Law may restrict by way of legislative measure the scope of the obligations and rights provided in articles 12-22 and article 34, as well as article 5 as long as its provisions correspond to the rights and obligations provided in articles 12 to 22, and such restrictions respect the essence of the fundamental rights and freedoms and is necessary and proportionate measure in a democratic society to safeguard, e.g., national security, defence, public security. For full details see recital 73 and article 23 of the GDPR.
Do you have particular questions about how to enshrine the data subject’s rights in your agreements or software? Do not hesitate to leave a comment or write to me at firstname.lastname@example.org, to arrange a meeting.
Latest posts by Jessica Lam (see all)
- How to protect your personal data? - March 4, 2019
- Why does your personal data need to be protected? - February 25, 2019
- Enforcement of judgement: Update CJEU Case C 210/16 - September 7, 2018