Data Subject Rights: all you need to know

A picture of the eight Data Subject Rights
A picture of the eight Data Subject Rights

The data subject has rights under the GDPR to ensure its privacy is respected. Under European data protection laws, the data subjects have long had the right to information about how their data is used. The GDPR expanded these rights, adding several new ways for the individual to receive information and gain control. 

The 8 data subject’s rights to know

The GDPR provides individuals with eight rights to protect their privacy. Information about the rights must be provided by the controller before collection of the data and when the individual otherwise so requests. Sometimes the individual’s right to withdraw their consent to specific use under article 7 GDPR is presented as a specific data subject right.

The 8 data subject rights are:

  1. The right to be informed
  2. The right of access
  3. The right to rectification
  4. The right to erasure
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object
  8. Rights about automated decision making and profiling.

1. Right to be informed

What is the right to be informed?

Individuals have a right to be informed about how their data is collected and used. Data controllers have to give clear and concise information to individuals, including what information is collected and used, its purposes, retention periods, and with whom the information will be shared. This privacy information must be very easy to understand and easily accessible to the individual.

GDPR defines the right to be informed in articles 12-14.

Advertisement

Schrems II – Expert Legal Advise

Act with confidence today. Our experts are here to help you manage the Schrems II requirements. Measured and practical solutions. Support through the entire process. Transfer impact assessment. Dealing with supervisory authority. Enforcement action. Defending legal claims. Track record with leading European startup, mid-size companies and listed global enterprises.

Get a quote today from the business law firm Sharp Cookie Advisors


What do we need to do now?

You must provide the information at the time when you collect their information. If you would obtain personal data from other sources, you have a reasonable time limit to serve these individuals with your privacy information and no later than one month.

The privacy information you serve your data subjects must always be kept up to date. Review the information regularly and always inform the data subjects of any changes in your use of data or your processes before you actually start collecting the data.

The right to be informed is a key element of the GDPR. When you master this right, you typically have a high level of trust with your customers and employees and are less exposed to complaints and reputational damage.

2. The right of access

What is the right of access?

Individuals have the right to access and receive a copy of their personal data, including metadata. This process is called subject access request or “SAR”. Data controllers must provide this access free of charge and in an accessible format.

GDPR defines the right to access in article 15.

How can we recognise a request?

Individuals can put forward their SAR either verbally or in writing, including engaging with the controller on social media channels.

Note that a request does not need to include the words “subject access request” or the like to be a valid request. Hence, you may need to train your staff that interacts with customers or employees on how to identify a request.

It is possible to make a SAR on behalf of someone else. Ensure that the third party is entitled to act for the individual. It is their responsibility to provide evidence of their authority.

What do we need to do now?

Data controllers receiving a SAR must:

  • Respond without delay to confirm the request made within one month.
  • The first step must be to secure the identification of the individual. Note that the time scale does not begin until you have received the requested information.
  • You can extend the time limit by a further two months if the request is complex or you receive several requests from the same individual.
  • Perform a reasonable search for the requested information.
  • Review and, if possible, restrict and redact the information before you provide a copy to the individual – the right to access is not absolute – you must also respect the privacy of others and company trade secrets.
  • Provide the information in an accessible, concise and intelligible format.
  • Securely disclose the information, taking precautions concerning the level of sensitivity of the actual data.

Can we ask for ID?

You must be satisfied that you know the identity of the individual exercising their rights. The level of identification is relative to the sensitivity of the data subject to the request. It is not always that strong authentication is required, though in some instances, such as in healthcare, strong authentication is a must.

Can we charge a fee?

No, not usually. Typically, making a request is free of charge. However, if the same individual makes repetitive requests or requests that are manifestly unfounded or excessive, you may charge a reasonable fee.

Can we refuse to comply with the SAR?

A controller receiving a SAR cannot usually refuse to provide the information. If an exemption or restriction applies, or if a request is manifestly unfounded, you may refuse a SAR.

Check with your Data Protection Officer or legal department on how to respond to a SAR.

Exemptions of complying with the data subject rights SAR

In certain exemptions, you do not need to comply with a SAR; they are, for example (not an exhaustive list):

  • legal professional privilege
  • management information
  • negotiations with the individual requesting a SAR
  • confidential references

Note that there are special rules for SARs and certain categories of data, such as:

  • unstructured manual records,
  • credit files,
  • health data
  • educational data
  • social work data

What happens if we do not comply with the SAR request?

If you do not comply with a SAR, the individual may apply for a court order requiring you to simply or to seek compensation.

Your supervisory authority may also take action against you if your organisation breaches the GDPR.

3. The right to rectification

What is the right to rectification?

Individuals have the right to have inaccurate personal data rectified or completed if the data is incomplete. A request may be made verbally or in writing. The right to rectification underpins the principle of accuracy (Article 5(1)(d)) of the GDPR and is a safeguard against discriminatory treatment.

GDPR defines the right to rectification in article 16.

When is data inaccurate?

The GDPR has no formal definition, though, in case law, it is defined as it is incorrect or misleading as to any matter of fact.

What do we need to do now?

The data controller has one month to act on a request. You must take reasonable steps to ensure that the information you hold on an individual is accurate. If personal data is used to make significant decisions, you must make a greater effort to check its accuracy.

What should we do if we are confident that the data is accurate?

If you believe that the data you hold is indeed accurate, let the individual know. Explain that you will not be amending the information and inform the individual of their right to make a complaint to the competent supervisory authority. You should also inform about the individual’s ability to seek enforcement through a judicial remedy.

Can we refuse to comply with the request for rectification?

Normally, you have to comply with the request. You can refuse a request for rectification only when certain circumstances apply, such as, for example, unsubstantiated claims of inaccuracy, manifestly unfounded claims or excessive claims.

4. The right to erasure (right to be forgotten)

What is the right to erasure?

The GDPR introduced a right for individuals to have their data deleted. This right is sometimes referred to as the “right to be forgotten”. This right is not an absolute right and can be limited in certain situations.

The right only applies to data held at the time the request is received. You may still have the right to use data that may be created in the future.

GDPR defines the right to erasure in article 17.

When does the right to erasure apply?

You must comply with a request and delete data if:

  • the personal data hold no longer is necessary for the purpose which you originally collected or used it for
  • you are relying on consent as the legal basis, and the individual has withdrawn their consent
  • you are relying on legitimate interest as the legal basis for processing, and the individual is successful in their objection to the processing of their data
  • you are processing the data for direct marketing purposes, and the individual objects to that processing
  • you are found processing data unlawfully
  • you have to delete data to comply with a legal obligation or
  • you have processed the data to offer information society services to a child.

When does the right to erasure not apply?

You are entitled to hold data if it is necessary to comply with a legal obligation.

How to identify a request to delete?

The GDPR does not require a certain form. The individual can state the request verbally or in writing to any point of contact in your organisation (even on social media channels). Your organisation should have processes to identify and properly manage a deletion request.

What time limit applies for managing a deletion request?

You have one month from the date of the receipt of the request to respond to the individual.

Can we extend the time for a response?

Yes, if you can demonstrate that the request is complex and that you are making a reasonable effort.

Do we have to tell other organisations to delete data?

Yes, you must tell other organisations to delete the data if you have shared the data with others or the data has been made public in an online environment. You must make reasonable steps to ensure that relevant data gets deleted. You must share information on any recipients with the individual if asked.

If it would entail a disproportionate effort, there are exceptions to this right that may be applicable. Seek legal counsel as to what to do in your situation.

Do we need to delete data from our backup systems?

Yes, if a valid request is received and no exemption to retain data exist, you must delete data from backup systems as well as the production environment.

You must put the backup data “beyond use”. You must not be able to use such data for other purposes until it is replaced in line with your established schedule.

Can we refuse to comply with a deletion request?

You may rely on an exemption to the right to erasure if the circumstances allow. You can also refuse to comply with a request if it is :

  • manifestly unfounded or
  • excessive.

Notable case-law

What requirement can a controller require of a deletion request – see case IMY vs Google (2022).

5. The right to restrict processing

What is the right to restrict processing?

In certain circumstances, individuals may request that the use of their data should be limited. Restriction means that the data controller has to stop processing data for certain things. It is an alternative way to request the deletion of their data.

GDPR defines the right to restrict data processing in article 18.

When does the right to restrict processing apply?

Typically, you will be obliged to restrict the processing of certain data:

  • while you verify the accuracy of the data;
  • the data has been unlawfully used, and the individual opposes erasure and requests restriction as an alternative;
  • you no longer need the data, but the individual needs you to retain it to establish, exercise or defend a legal claim; or
  • the individual has objected to your use of legitimate interest, and you are underway to determine whether your legitimate grounds override those of the individual.

How do we restrict the processing of personal data?

There are several methods you can use to restrict the further use of personal data; what method is appropriate is dependent on the circumstances. You can, e.g.:

  • Temporarily moving the personal data to another system.
  • Restricting access to users.
  • Temporarily removing published data from a website.

What can we do with restricted data?

You can continue to store the data; however, you must not do anything else. The restriction is most often a temporary solution while you determine if any wrongdoing or mistake has occurred or respond to the data subjects’ concerns.

If you should take action on data that is restricted, it requires:

  • the individual’s consent
  • that the action you seek is to defend legal claims or protect the rights of another person or company, or
  • it is for reasons of important public interest.

Do we have to tell other organisations about the restriction of data?

Yes, you must tell other organisations to restrict the data if you have shared the data with others or the data has been made public in an online environment. You must make reasonable steps to ensure that relevant data gets restricted. You must share information on any recipients with the individual if asked.

If it would entail a disproportionate effort, there are exceptions to this right that may be applicable. Seek legal counsel as to what to do in your situation.

When can the restriction be lifted?

Normally, the restriction of further processing of certain personal data is temporary. Most often, a request for restriction is made on the basis that:

  • The individual has questioned the accuracy of the data, and you are investigating this claim; or
  • The individual has objected to your processing of specific personal data because it would be necessary for your legitimate interest, and you are considering if your interests override the individuals (reviewing your Legitimate Interest Assessment analysis).

Once you have come to a decision, you may decide to lift the restrictions placed on personal data. Note that you must inform the individual before you lift the restrictions.

6. The right to data portability

What is the right to data portability?

Data subjects have the right to data portability. Portability means that the data controller has to transfer personal data when asked. Data subjects can request that the data be transferred either to themselves or to another controller. The other controller may be a company that provides a service that the data subject wants to use. The controller only has to fulfil this request if it’s technically possible.

GDPR defines the right to data portability in article 20.

7. The right to object

What is the right to object?

Individuals have the right to object to the processing of their data in certain circumstances. An objection may be made in writing or verbally.

An objection can concern all data or certain information or relate to a specific purpose. The individual has an absolute right to stop direct marketing based on personal data.

GDPR defines the right to object in article 21.

What do we need to do now?

Generally, data controllers have to stop processing personal data if this happens. Typically, there is no need to delete all data; in most cases, it would be preferable to suppress their details. Data suppression means retaining the necessary information to ensure that their preference not to receive direct marketing is respected.

As an exception, processing may continue due to public interest, such as scientific research.

Must we erase personal data to comply with an objection?

No, you must not automatically delete all data to comply with an object to further processing. When you have received an objection to certain processing, say direct marketing, and you have no basis for refusing, you must stop or not begin processing data for such purpose.

It may mean that you need to delete certain information. However, you must retain the information necessary to respect the individual’s preferences in the future. In direct marketing, this is often resolved by suppressing the information in the so-called “master do not send list” to ensure that an email is used for mass email marketing.

8. Rights concerning automated decision-making and profiling

What is automated individual decision-making and profiling?

Automated individual decision-making means decisions without any human involvement. Examples can include:

  • A bank’s decision to award a loan or not based on an online process; and
  • An aptitude test using preprogrammed algorithms and criteria to sort through job applicants and decide who will receive a job interview.

GDPR defines rights concerning automated decision-making and profiling in article 22.

Automated decision-making must not include profiling, but it often does.

GDPR defines profiling as:

“any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.”

Article 4(4) GDPR

What does GDPR regulate

The individual has the right to know of and object to any entirely automated decision-making. The individual can also object to where information about the individual is used to create a comprehensive profile about the individual (“profiling”).

GDPR restricts automated decision-making to protect individuals (Article 22 GDPR). Automated decision-making is only allowed if it is: necessary for a contract, authorised by national law, or based on the individual’s explicit consent.

When can we use automated decision-making?

The use of automated decision-making is restricted. It is only allowed to use this technology if the decision is:

  • necessary for a contract with the individual at hand
  • authorised by law, such as tax evasion or fraud detection
  • based on the individual’s explicit consent.

If special categories data is used, you can only use the data if:

  • you have the individual’s explicit consent, or
  • the use is necessary for reasons of substantial public interest.

What do we need to consider to be able to use automated decision-making?

GDPR defines automated decision-making, including profiling, as a high-risk activity, meaning you have to perform a risk assessment. A Data Protection Impact Assessment (DPIA) is required to demonstrate your compliance with the GDPR, show which risks you have identified and how you will mitigate such risks.

Besides the impact assessment, under Article 22(1) GDPR, you must also:

  • Inform the individuals of the logic involved in the decision-making process, as well as the consequences for the individual;
  • Use appropriate statistical or mathematical procedures;
  • Ensure that individuals can: (a) get human intervention, (b) express their point of view, (c) get an explanation of the decision and challenge it;
  • Protect the outcome by having appropriate technical and organisational measures in place to correct inaccuracies and minimise the risk of errors; and
  • Secure personal data proportionate to the risk and interests of the individual to prevent discriminatory effects.

You must always identify and record the processing in the records of processing (e.g. lawful basis, categories of data, internal and external recipients of the data etc.).

Can we ask for ID?

You must be satisfied that you know the identity of the individual exercising their rights. The level of identification is relative to the sensitivity of the data subject to the request. It is not always that strong authentication is required, though in certain cases, such as in healthcare, strong authentication is a must.

Can we charge a fee for complying with the data subject rights?

No, not usually. Normally, making a request is free of charge. However, if the same individual makes repetitive requests or requests that are manifestly unfounded or excessive, you may charge a reasonable fee.

Can we refuse to comply with the data subject rights request?

Normally, you have to comply with the request. You can refuse a request only when certain circumstances apply, such as, for example, unsubstantiated claims, manifestly unfounded claims or excessive claims.

What is manifestly unfounded?

GDPR defines “manifestly unfounded” as when:

  • The individual has no intention of exercising their data subject rights.
  • The request is malicious in intent and is being used to harass an organisation without a real purpose, for example, when (a) the individual has stated in the request or in other communications that they intend to cause disruption; or (b) the request makes unsubstantiated claims of wrongdoing by your organisation or specific employees; (c) the request is targeting an employee with whom the requestor has a personal grudge; or (d) the individual systematically sends different data subject rights requests as part of a campaign, to cause disruption.

What is an excessive claim?

A request to exercise any of the individual data subject rights under the GDPR can be excessive if:

  • the request repeats the substance of the previous requests, or
  • it overlaps with other requests.

It depends on the circumstances and the request if it is considered excessive.

You may still be obliged to comply with the data subject rights requests if the individual:

  • Requests the same subject matter from you. There may be new perspectives, or maybe the controllers have mishandled previous requests.
  • Makes an overlapping request than off the former.
  • Previous have submitted requests that were excessive or manifestly unfounded.

LEAVE A REPLY

Please enter your comment!
Please enter your name here