Ch. 9 DS Rights Flashcards
Access & rectification
Controllers must provide:
- The purposes of the processing
- The categories of personal data
- The recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular, recipients in third countries or international organisations
- Storage term or, if not possible, the criteria used to determine that period
- The existence of the right to request from the controller rectification or erasure, restriction of processing, or to object to such processing
- The right to lodge a complaint with a supervisory authority
- Where the personal data is not collected from the data subject, any available information as to their source
- The existence of automated decision-making, information about the logic involved, as well as the significance and the envisaged consequences
Data portability conditions
3 conditions:
- Data processed by automatic means, on basis of consent/performance of contract
- Data should concern the subject and have been provided by him
- Transferring data should not negatively affect rights & freedoms of others → how to deal with portability requests which also include data of others?
Right to erasure exemptions
- For exercising the right of freedom of expression and information;
- For compliance with a legal obligation / performance of task in public interest
- Establishment of, exercise of or defence against legal claims
Restriction of processing
Data does not have to be deleted, but is blocked from being further processed. Can be an option if:
- accuracy of the data is contested;
- processing is unlawful, and the data subject requests restriction (as opposed to exercising the right to erasure);
- the controller no longer needs the data for their original purpose, but the data is still required by the data subject to establish, exercise or defend legal rights; or
- verification of overriding grounds is pending in the context of an erasure request.
Object to processing
GDPR does not specify any particular form requirement for a valid objection. As a consequence of any valid objection, the controller is no longer allowed to process the data subject’s personal data unless it can demonstrate compelling, legitimate grounds for the processing. Legitimate grounds must be:
- lawful
- sufficiently clearly articulated
- representative of a real and present interest
3 cases to object to processing:
- Direct marketing. DS can object to data being processed for direct marketing. C should stop processing right away.
- Legitimate interests of public and controller: controller should demonstrate that it has compelling legitimate interests overriding the freedoms of the individual.
- Research/statistical purposes. DS may object to this, but protest is overridden when processing is necessary for performance of task in public interest.
Exceptions to right to not be subject to a decision based solely on automatic processing
-AD is necessary for entering into or performing a contract between DS & controller
- AD is authorized by MS law by which the DS is a subject, which also lays down suitable safeguards to the DS’s rights.
0 AD is based on explicit consent DS.
