Chapter 2F: Data Subject Rights

Question 1

What must data controllers implement to verify the identity of data subjects making data subject rights requests under the GDPR?

Answer 1

Verification requirements that are reasonable and proportionate, while being limited to the minimum necessary to verify data subject identity.

Question 2

True or False: Only a data subject may exercise his or her right to access under Article 15 of the GDPR.

Answer 2

False. An authorized representative may also make a request for access (e.g., an attorney)

Question 3

Other than requesting that inaccurate data be corrected, what other right do data subjects possess under Article 16 of the GDPR?

Answer 3

The right to request that incomplete information be made complete.

Question 4

True or False: The right to request information under Article 15 of the GDPR is limited to what information is processed and the reasons for processing.

Answer 4

False. There are at least eight required disclosures that must be made under Article 15, including the source of the information and the period of retention, among other disclosures.

• the purposes of the processing;
• the categories of personal data concerned;
• the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
• where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
• the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
• the right to lodge a complaint with a supervisory authority;
• where the personal data are not collected from the data subject, any available information as to their source;
• the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

Question 5

In what two situations is a request to restrict processing under Article 18 only temporary?

Answer 5

(1) When the accuracy of the data is also contested; and
(2) When the data subject has objected to the processing under Article 21.

Question 6

If personal data is no longer necessary for the purposes for which it was collected, may a data subject request that it be erased?

Answer 6

Yes

Question 7

What period of time does the GDPR provide for data controllers to respond to data subject requests?

Answer 7

A response must be provided “without undue delay” and no later than one month after the request is received, with some limited exceptions.

Question 8

When providing a second copy of personal information processed by an organization under Article 15 of the GDPR, what may a data controller do that it generally is not permitted to do in responding to other data subject requests?

Answer 8

Charge a cost-based fee for providing a copy.

Question 9

True or False: The right to erasure is always available to data subjects under the GDPR.

Answer 9

False. The right to erasure applies only in limited situations.

controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

the data subject withdraws consent on which the processing is based according to point (a) ofArticle 6(1), or point (a) ofArticle 9(2), and where there is no other legal ground for the processing;

the data subject objects to the processing pursuant toArticle 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant toArticle 21(2);

the personal data have been unlawfully processed;

the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;

the personal data have been collected in relation to the offer of information society services referred to inArticle 8(1).?

Question 10

May a data controller charge a data subject for responding to a data subject request under the GDPR?

Answer 10

Yes, but only if the request is unfounded, excessive, or repetitive.

Question 11

What three requirements are necessary for the right to data portability to apply under the GDPR?

Answer 11

(1) The data was provided directly by the data subject;
(2) The data is processed based upon the data subject’s consent and for no other reason; and
(3) The processing is carried out by automated means.

Question 12

What obligation does Article 12 of the GDPR impose on data controllers?

Answer 12

The obligation to facilitate the exercise of data subject rights.

Question 13

What two data subject rights might serve as a basis to request delisting from a search engine?

Answer 13

The right to object to data processing and the right to erasure.

Question 14

True or False: A key part of responding to a DSAR is determining “why” the data subject is making his or her access request.

Answer 14

False. A controller should not consider “why” the request is made, only “what” the data subject is requesting.

Question 15

What two requirements are necessary for the right not to be subject to automated processing to apply under the GDPR?

Answer 15

(1) The decision-making is based solely on automated processing; and
(2) The processing “produces legal effects concerning him or her or similarly significantly affects him or her.”

Question 16

Does the right to request delisting from a search engine apply to search results, the underlying web pages contained in search results, or both?

Answer 16

Only the search engine results.

Question 17

True or False: When a data subject requests that data be corrected, the determination of whether the data is inaccurate is subjective in nature.

Answer 17

True. There is no definition of what constitutes “inaccurate” information under the GDPR.

Question 18

True or False: The right to object to data processing is the same as the right to withdraw consent to processing.

Answer 18

False. The right to object to data processing is provided to data subjects when processing is NOT based on the consent of the individual.

Question 19

According to the EDPB, what are the three components of the Right to Access?

Answer 19

(1) confirmation as to whether data about the person is processed or not;
(2) access to this personal data; and
(3) access to information about the processing.

Question 20

True or False: Information provided in response to a request to access personal data under the GDPR must be provided in a commonly used electronic form.

Answer 20

Yes, if it is requested that way by the data subject.

Question 21

If it is not clear whether personal data is accurate, what is a best practice in responding to a data subject request to correct that data?

Answer 21

The data should be corrected as requested.

Question 22

What data subject right under the GDPR was not provided for under its precursor, the Data Protection Directive?

Answer 22

The right to data portability.

Question 23

Are data controllers obligated to notify data processors that have personal data in their possession of a request of erasure under Article 17 of the GDPR?

Answer 23

Yes

Question 24

What right under the GDPR is often a prelude to further legal action by a data subject?

Answer 24

The right to access information under Article 15.

Question 25

What are the three situations in which controllers may utilize automated decision-making that has a legal effect on data subjects?

Answer 25

When doing so is:
(1) necessary to enter a contract;
(2) otherwise required by law; or
(3) done with explicit consent of the data subject.

Question 26

A controller must stop processing in all instances when a data subject objects to data processing for conducted for what purpose?

Answer 26

Marketing

Question 27

True or False: Controllers engaged in profiling data subjects under Article 22 must set up systems that permit the intervention of a human.

Answer 27

True

Question 28

What are the circumstances in which a member state of the European Union may restrict data subject rights under the GDPR by passing legislation?

Answer 28

Where doing so is necessary to safeguard the security of the nation or its public, to facilitate law enforcement, to facilitate public government functions, to protect judicial independence, to regulate certain professions, to protect the rights of other data subjects, or to permit the enforcement of civil claims.

Question 29

True or False: In exercising the right to data portability under the GDPR, a data subject may request that information be provided directly to himself or herself, or to another data controller.

Answer 29

True

Question 30

Art. 15

Answer 30

Right to Access by a DS

Question 31

Art. 16

Answer 31

Right to rectification (Correction)
(and make complete)

Question 32

Art. 17

Answer 32

Right to Erasure (Right to be forgotten)

Question 33

Art. 18

Answer 33

Right to restriction of processing

Question 34

Art. 19

Answer 34

Notification obligation regarding
rectification
errasure
restriction

to recipients of data

Question 35

Art. 20

Answer 35

Right to data portability

Question 36

Art. 21

Answer 36

Right to Object