GDPR – Data Subjects’ Rights (Part 1)
Data subjects’ rights is, perhaps, one of the most widely misunderstood aspects of the General Data Protection Regulation (GDPR). The Data Protection Act (1998), DPA, provides many rights to individuals and the GDPR can be seen as clarifying and extending those rights.
The GDPR provides the following rights for individuals:
- The right to be informed;
- The right of access;
- The right to rectification;
- The right to erasure;
- The right to restrict processing;
- The right to data portability;
- The right to object; and
- Rights in relation to automated decision making and profiling.
In this article we’ll look at the first four rights:
- The right to be informed – you should provide ‘fair processing information’, typically through a privacy notice which provides transparency about how you collect and use personal data.
- The right of access – you must be able confirm that personal data is being processed and provide access to the personal data on request from a data subject.
- The right to rectification – data subjects are entitled to have personal data rectified if it is inaccurate or incomplete.
- The right to erasure – also known as ‘the right to be forgotten’. Data subjects can request the deletion or removal of personal data where there is no compelling reason for its continued processing.
For processing to be lawful under the GDPR, you need to identify a lawful basis before you can process personal data. It is important that you determine your lawful basis for processing personal data because this has an effect on the data subjects’ rights. For instance, if you rely on someone’s consent to process their data, then they will generally have stronger rights to have their data deleted.
The right to be informed
You should provide ‘fair processing information’, typically through a privacy notice which provides transparency about how you collect and use personal data. The information you supply in the privacy notice must be:
- Concise, transparent, intelligible and easily accessible;
- Written in clear and plain language, particularly if addressed to a child; and
- Free of charge.
If you obtain the personal data directly from a data subject you must supply the privacy notice at the time that the data is collected.
If you obtain the personal data from another source you must provide the data subject with the privacy notice within a reasonable period of having obtained the personal data (typically, within one month), or if you are using the personal data to communicate with the data subject, at the latest, when the first communication takes place.
Your privacy notice must contain the following information:
- The identity and contact details of the data controller (and where applicable, the controller’s representative) and the data protection officer;
- The purpose and the lawful basis for the processing;
- The legitimate interests of the data controller or third party, where applicable;
- The categories of personal data being processed (only if the personal data is not obtained directly from the data subject);
- Any recipient or categories of recipients of the personal data;
- Details of transfers to a third country and the safeguards in place;
- The retention period or criteria used to determine the retention period of the personal data;
- The existence the data subject’s rights;
- The right to withdraw consent at any time, if that is the lawful basis for the processing;
- The right to lodge a complaint with the Information Commissioner’s Office (ICO);
- The source the personal data originates from and whether it came from publicly accessible sources (only if the personal data is not obtained directly from the data subject);
- Whether the provision of the personal data is a statutory or contractual requirement or obligation and the possible consequences of failing to provide the personal data; and
- The existence of automated decision making, including profiling and information about how decisions are made, and the significance and the consequences of such automated decision making.
The right of access
You must be able confirm that personal data is being processed and provide access to the personal data on request from a data subject. The GDPR allows data subjects to access their personal data so that they are aware of and can verify the lawfulness of the processing.
You must be able to verify the identity of the person making the access request, using ‘reasonable means’ and you must provide a copy of the information free of charge. However, you can charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive (you can also refuse to respond to an access request under these circumstances). You may also charge a reasonable fee to comply with requests for further copies of the same information. This does not mean that you can charge for all subsequent access requests. Any fee charged must be based on the administrative cost of providing the information.
If you decide not to carry out a data access request, you must provide an explanation to the data subject and inform them of their right to complain to the ICO and to a judicial remedy.
The right to rectification
Data subjects are entitled to have personal data rectified if it is inaccurate or incomplete. If you have passed the personal data to third parties, you must inform the third parties of the rectification where possible. You must also tell the data subjects about the third parties and what personal information you have passed to them.
You must respond within one month to a data rectification request, but this can be extended by two months when the request for rectification is complex.
If you decide not to carry out a data rectification request, you must provide an explanation to the data subject and inform them of their right to complain to the ICO and to a judicial remedy.
The right to erasure
Also known as ‘the right to be forgotten’. Data subjects can request the deletion or removal of personal data where there is no compelling reason for its continued processing.
Data subjects do not have an absolute ‘right to be forgotten’ but you must erase personal data and prevent processing in specific circumstances:
- When the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed;
- When the individual withdraws consent and your lawful basis for processing relies on the data subject’s consent;
- When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing;
- The personal data was unlawfully processed (in breach of some other aspect of the GDPR);
- The personal data has to be erased in order to comply with a legal obligation; or
- The personal data is processed in relation to the offer of information society services to a child.
You can refuse to comply with a request for erasure when the personal data is processed for the following reasons:
- To exercise the right of freedom of expression and information;
- To comply with a legal obligation or for the performance of a public interest task or exercise of official authority;
- For public health purposes in the public interest;
- Archiving purposes in the public interest, scientific research historical research or statistical purposes; or
- The exercise or defence of legal claims.
You should have specific procedures in place to deal a request for erasure if you process the personal data of children, and the child has given consent to processing, regardless of age at the time of the request to erase the data. This is because a child may not have been fully aware of the risks involved in the processing at the time of consent.