Chapter 9 - Data Subject Rights Flashcards
Wha does European DP law provide individuals with?
A range of rights enforceable against organisations processing their data
How does the GDPR compare to the Data Protection Directive in terms of complexity and scope?
The GDPR is considerably more complex and far-reaching, including a very extensive set of rights.
What was one of the main ambitions of the European Commission in proposing the GDPR?
Bolstering individuals’ rights.
What articles of the GDPR set forth data subjects’ rights?
Articles 12 to 23.
What impact can data subjects’ rights have on an organisation?
They can limit an organisation’s ability to lawfully process personal data and impact core business processes and models.
What rights are encompassed in Articles 12-14 of the GDPR?
Right of transparent communication and information
-Ensures that data subjects are informed about how their personal data is being processed in a clear and accessible manner.
-Organisations should: Provide information in a concise, transparent, intelligible, and easily accessible form, using clear and plain language
What is the right set forth in Article 15 of the GDPR?
Right of access
-This right allows data subjects to obtain confirmation of whether their personal data is being processed and access to that data.
-Organisations should: Respond to access requests without undue delay and within one month, providing the requested information and any additional details required by the GDPR.
What does Article 16 of the GDPR cover?
Right to rectification.
-This right allows data subjects to have inaccurate personal data corrected.
-Organisations should: Correct inaccurate or incomplete data promptly and inform any third parties to whom the data has been disclosed.
What is the right established by Article 17 of the GDPR?
Right to erasure (right to be forgotten).
-This right allows data subjects to request the deletion of their personal data under certain conditions.
-Organisations should: Erase personal data when requested, unless exemptions apply, and inform third parties processing the data about the erasure request.
What does Article 18 of the GDPR address?
Right to restriction of processing.
-This right allows data subjects to limit the processing of their personal data under certain conditions.
-Organisations should: Restrict processing when requested, ensuring the data is only stored and not further processed unless consent is given or for legal claims.
What obligation is set forth in Article 19 of the GDPR?
Obligation to notify recipients.
-Requires organisations to inform recipients of personal data about any rectification, erasure, or restriction of processing.
-Organisations should: Notify recipients promptly and document the notification process.
What right is established by Article 20 of the GDPR?
Right to data portability.
-This right allows data subjects to receive their personal data in a structured, commonly used, and machine-readable format and transmit it to another controller.
-Organisations should: Provide the data in a usable format and, if requested, transfer it directly to another controller where technically feasible.
What does Article 21 of the GDPR cover?
Right to object.
-This right allows data subjects to object to the processing of their personal data based on legitimate interests.
-Organisations should: Stop processing the data unless they can demonstrate compelling legitimate grounds that override the data subject’s interests, rights, and freedoms.
What is the right established by Article 22 of the GDPR?
Right to not be subject to automated decision-making (to profiling).
-This right protects data subjects from decisions based solely on automated processing that produce legal effects or similarly significantly affect them.
-Organisations should: Ensure human intervention in decision-making processes and provide safeguards, including the right to obtain human intervention and challenge decisions.
What does Article 12(1) require?
Requires that any information communicated by the organisation be provided in a concise, transparent, intelligible and easy accessible form, using clear and plain language
What does Article 12(2) of the GDPR require organisations to do?
Facilitate the exercise of data subject rights and verify the identity of data subjects.
-Organisations should: Use reasonable efforts to verify identity and request additional information if necessary, without collecting extra personal data.
What is the normal time frame for responding to data subjects’ requests under Article 12(3)?
One month, extendable by two further months for specific situations and/or complex requests.
Organisations should: Acknowledge receipt of requests, decide whether to act on them within the first month, and inform data subjects about any extensions or refusals.
How should electronically received requests be answered according to the GDPR?
Electronically, unless the data subject requests an alternative format.
What is fundamental to any data protection system according to the GDPR?
Transparency.
What right is described in Article 13 of the GDPR?
Right to information about personal data collection and processing.
-Data subjects have the right to be informed about the collection and processing of their personal data.
-Organisations should: Provide details about the controller’s identity, purposes for processing, legal basis, recipients, and any other relevant information.
What does the right of access under Article 15 of the GDPR entail?
Data subjects have the right to obtain confirmation of whether their personal data is being processed and access to that data.
-Organisations should: Provide access to personal data and additional information, such as purposes of processing, categories of data, recipients, storage periods, and rights to rectification, erasure, or restriction.
Data subject entitled to recieve:
-The purposes of the procssing
-Categories of PD concerened
-Recipients/categories of recipients
-Period of storage/ criteria to determine storage period
-Existence of right to rectification/ right to erasure/ right to object / right to restriction
-Right to lodge complaint with supervisory authority
-Any info about source if not from data subject
-Existence of automated decision making, profiling - Article 22(1) & (4) - significance/consequence
What must organisations do if they have disclosed personal data to third parties and the data subject exercises their rights?
Notify those third parties of the data subject’s exercise of their rights.
What is the right to rectification under the GDPR & which article?
Article 16 - The right to have inaccurate personal data corrected.
What is the right to erasure & which article of the GDPR?
-Article 17
The right to have personal data erased under certain conditions.
-If data no longer needed, lawful basis is consent & nothing else, data subject exercises right to object, data processed unlawfully, erasure necessary for compliance with EU/MS law
What are some exemptions to the right of erasure under Article 17(3)?
Exercising the right of freedom of expression and information, compliance with legal obligations, and public interest tasks.
What is the right to restriction of processing under Article 18 of the GDPR?
The right to have the processing of personal data restricted under certain conditions.
Conditions:
-Accuracy contested
-Processing unlawful
-Controller no longer needs data for original purpose
-Verification of overriding grounds pending in context of objection pursuant to Article 21(1)
What is the right to data portability?
-Article 20
The right to receive personal data in a structured, commonly used, and machine-readable format and transmit it to another controller.
-Also is a NEW right / new term in DP law
What is the right to object?
-Article 21
The right to object to the processing of personal data based on legitimate interests.
What does Article 22 of the GDPR prohibit?
Decision-making based solely on automated processing that produces legal effects or similarly significantly affects the data subject.
What are some restrictions to data subject rights under the GDPR?
Restrictions necessary to safeguard national security, defence, or public security.
What should controllers do to adopt data subjects’ rights into their practices?
Embrace data subjects’ rights via privacy by design and by default, and reflect them in consumer interactions.
What are the practical considerations for organisations when responding to subject access requests under the GDPR?
-Must respond to subject access requests within one month, using a ticketing or workflow system. Extensions of up to two months are possible for excessive or unfounded requests.
-If doubts about the requester’s identity -> the process must be paused while additional information is requested to confirm identity, ensuring proportionality.
-Special considerations must be made for access requests involving children, including assessing the child’s maturity and potentially allowing parents to exercise the child’s rights.
-When disclosing information, organisations must protect the rights of others involved, possibly redacting data or obtaining consents.
-Organisations must ensure that third-party proxies making requests are entitled to act on behalf of the individual, documenting the nature of the request and retaining proof of entitlement.
-If a request is manifestly unfounded or excessive, organisations can request a reasonable fee or refuse to deal with the request, justifying and documenting the decision.
-Specific rules apply to advertising and targeting social media users, including facilitating access to information about targeting criteria and allowing users to check their profile information.
What are the specific rules for advertising and targeting social media users under the GDPR?
-Data subjects should be able to learn the identity of the targeter and access information regarding the targeting criteria used, as well as any other information required by Article 15 of the GDPR.
-Details of the actual personal data used for profiling, including categories of data used to construct a profile and segments the data subject has been placed into, must be provided.
-Social media controllers should implement mechanisms for users to independently check their profile information, including details of the data collected and sources used to develop it.
-Users should be able to access their personal data and request a copy in accordance with Article 15(3) of the GDPR.
What does Article 23 entail?
-Member states may impose restrictions on data subject rights to safeguard national security, defence, or public security.
-Organisations should: Be aware of and comply with any national restrictions on data subject rights.
What does article 24 entail?
-Controllers should adopt data subjects’ rights into their practices via privacy by design and by default.
-Organisations should: Reflect data subjects’ rights in consumer interactions and ensure compliance with GDPR requirements.
What is the Costeja judgement and which right does it deal with?
-CJEU 2014
-Ruled any data subject may request of a provider of an online engine to erase any links to webpages from the list of results displayed following a search made on the basis of their name
-2 data subject rights -> right to erasure and right to object
-Application of Article 21 being expressly foreseen as 3rd ground for right to erasure
