GDPR – Data Subjects’ Rights (Part 2)
Data subjects’ rights is, perhaps, one of the most widely misunderstood aspects of the General Data Protection Regulation (GDPR). The Data Protection Act (1998), DPA, provides many rights to individuals and the GDPR can be seen as clarifying and extending those rights.
The GDPR provides the following rights for individuals:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
An earlier article looked at the first four rights and so in this article we’ll consider the last four rights:
- The right to restrict processing – when processing is restricted, you are permitted to store the personal data, but not further process it. You can retain just enough information about the individual to ensure that the restriction is respected in future.
- The right to data portability – you must be able to allow data subjects to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.
- The right to object – data subjects can object to processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling), direct marketing (including profiling) and processing for purposes of scientific/historical research and statistics.
- Rights in relation to automated decision making and profiling – you may not automatically process personal data if the automated system can a make a potentially damaging decision without human intervention.
For processing to be lawful under the GDPR, you need to identify a lawful basis before you can process personal data. It is important that you determine your lawful basis for processing personal data because your lawful basis for processing has an effect on data subjects’ rights.
The right to restrict processing
A data subject may require you to stop processing their personal data when:
- the data subject contests the accuracy of the personal data;
- you are processing the personal data for the performance of a public interest task or for the purpose of legitimate interests and you are considering whether your organisation’s legitimate grounds override those of the data subject;
- processing is unlawful and the data subject does not require the personal data erased but requests restriction instead.
- you no longer need the personal data but the data subject requires the personal data to establish, exercise or defend a legal claim.
When processing is restricted, you are permitted to store the personal data, but you must not process it. You can retain just enough information about the data subject to ensure that the data processing restriction is respected in future.
If you have disclosed the personal data in question to third parties, you must inform them about the restriction on the processing of the personal data, unless it is impossible.
The right to data portability
The right to data portability only applies:
- to personal data which a data subject has provided to you;
- where the processing is based on the data subject’s consent or for the performance of a contract;
- when processing is carried out by automated means.
You must provide the personal data in a structured, commonly used and machine readable form such as CSV or XML files. This enables other organisations to use the data. You may be required to transmit the data directly to another organisation if this is technically feasible.
You must respond within one month and you may not charge for providing the personal data. If you are unable to supply the personal data because the request is complex or you receive many requests then you must inform the data subject of this within one month and you can extend the time to comply with the request to two months.
If you decide not to comply with the request then you must explain why to the data subject within one month and informing them of their right to complain to the ICO and to a judicial remedy .
The right to object
Data subjects must be informed of their right to object “at the point of first communication” and in your privacy notice. This information must be “explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information” and you must offer an online way for data subjects to object to the processing of their personal data.
If you process personal data for the performance of a legal task or your organisation’s legitimate interests then data subjects can object to the processing of their personal data only on “grounds relating to his or her particular situation”. Once you receive an objection you must stop processing the personal data unless you can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual or the processing is for the establishment, exercise or defence of legal claims.
If you process personal data for direct marketing purposes then you must stop processing personal data for direct marketing purposes as soon as you receive an objection and you can not refuse to do this. Objections about direct marketing must be dealt with at any time and you may not charge for this.
If you process personal data for research purposes then data subjects can object to the processing of their personal data only on “grounds relating to his or her particular situation”. You do not need to take note of an objection if you are conducting research which is necessary for the performance of a public interest task.
Rights in relation to automated decision making and profiling
You should identify whether any of your processing operations constitute automated decision making or profiling and consider whether you need to update your procedures to deal with the requirements of the GDPR.
Decisions about data subjects must not be taken by automated means if the decision would produce a legal effect or similar significant effect. However, you can use automated decision making if the decision is necessary for entering into or for the performance of a contract with the data subject; if the decision is authorised by law, or if the data subject provides explicit consent. If you do use automated decision making in these cases then you must provide data subjects with access to human intervention, with the ability to provide their point of view and with an explanation of the decision and how it can be challenged.
Profiling is any form of automated processing which evaluates certain personal aspects of an individual, in particular to analyse or predict their:
- performance at work;
- economic situation;
- health;
- personal preferences;
- reliability;
- behaviour;
- location;
- movements.
If you use automated profiling you must:
- Ensure processing is fair and transparent by providing meaningful information about the logic involved, as well as the significance and the likely consequences.
- Use appropriate mathematical or statistical procedures for the profiling.
- Implement technical and organisational measures to enable inaccuracies to be corrected and to minimise the risk of errors.
- Secure personal data so that the interests and rights of data subjects are not compromised.
You must not automate decisions about children, or automate decisions about any data subjects based on the processing of the special categories of data unless you have explicit consent from the data subject or if the processing is being carried out for reasons of substantial public interest.