Chapter 9 - Data Subject Rights Flashcards
Wha does European DP law provide individuals with?
A range of rights enforceable against organisations processing their data
How does the GDPR compare to the Data Protection Directive in terms of complexity and scope?
The GDPR is considerably more complex and far-reaching, including a very extensive set of rights.
What was one of the main ambitions of the European Commission in proposing the GDPR?
Bolstering individuals’ rights.
What articles of the GDPR set forth data subjects’ rights?
Articles 12 to 23.
What impact can data subjects’ rights have on an organisation?
They can limit an organisation’s ability to lawfully process personal data and impact core business processes and models.
What rights are encompassed in Articles 12-14 of the GDPR?
Right of transparent communication and information
-Ensures that data subjects are informed about how their personal data is being processed in a clear and accessible manner.
-Organisations should: Provide information in a concise, transparent, intelligible, and easily accessible form, using clear and plain language
What is the right set forth in Article 15 of the GDPR?
Right of access
-This right allows data subjects to obtain confirmation of whether their personal data is being processed and access to that data.
-Organisations should: Respond to access requests without undue delay and within one month, providing the requested information and any additional details required by the GDPR.
What does Article 16 of the GDPR cover?
Right to rectification.
-This right allows data subjects to have inaccurate personal data corrected.
-Organisations should: Correct inaccurate or incomplete data promptly and inform any third parties to whom the data has been disclosed.
What is the right established by Article 17 of the GDPR?
Right to erasure (right to be forgotten).
-This right allows data subjects to request the deletion of their personal data under certain conditions.
-Organisations should: Erase personal data when requested, unless exemptions apply, and inform third parties processing the data about the erasure request.
What does Article 18 of the GDPR address?
Right to restriction of processing.
-This right allows data subjects to limit the processing of their personal data under certain conditions.
-Organisations should: Restrict processing when requested, ensuring the data is only stored and not further processed unless consent is given or for legal claims.
What obligation is set forth in Article 19 of the GDPR?
Obligation to notify recipients.
-Requires organisations to inform recipients of personal data about any rectification, erasure, or restriction of processing.
-Organisations should: Notify recipients promptly and document the notification process.
What right is established by Article 20 of the GDPR?
Right to data portability.
-This right allows data subjects to receive their personal data in a structured, commonly used, and machine-readable format and transmit it to another controller.
-Organisations should: Provide the data in a usable format and, if requested, transfer it directly to another controller where technically feasible.
What does Article 21 of the GDPR cover?
Right to object.
-This right allows data subjects to object to the processing of their personal data based on legitimate interests.
-Organisations should: Stop processing the data unless they can demonstrate compelling legitimate grounds that override the data subject’s interests, rights, and freedoms.
What is the right established by Article 22 of the GDPR?
Right to not be subject to automated decision-making (to profiling).
-This right protects data subjects from decisions based solely on automated processing that produce legal effects or similarly significantly affect them.
-Organisations should: Ensure human intervention in decision-making processes and provide safeguards, including the right to obtain human intervention and challenge decisions.
What does Article 12(1) require?
Requires that any information communicated by the organisation be provided in a concise, transparent, intelligible and easy accessible form, using clear and plain language
What does Article 12(2) of the GDPR require organisations to do?
Facilitate the exercise of data subject rights and verify the identity of data subjects.
-Organisations should: Use reasonable efforts to verify identity and request additional information if necessary, without collecting extra personal data.
What is the normal time frame for responding to data subjects’ requests under Article 12(3)?
One month, extendable by two further months for specific situations and/or complex requests.
Organisations should: Acknowledge receipt of requests, decide whether to act on them within the first month, and inform data subjects about any extensions or refusals.
How should electronically received requests be answered according to the GDPR?
Electronically, unless the data subject requests an alternative format.
What is fundamental to any data protection system according to the GDPR?
Transparency.
What right is described in Article 13 of the GDPR?
Right to information about personal data collection and processing.
-Data subjects have the right to be informed about the collection and processing of their personal data.
-Organisations should: Provide details about the controller’s identity, purposes for processing, legal basis, recipients, and any other relevant information.
What does the right of access under Article 15 of the GDPR entail?
Data subjects have the right to obtain confirmation of whether their personal data is being processed and access to that data.
-Organisations should: Provide access to personal data and additional information, such as purposes of processing, categories of data, recipients, storage periods, and rights to rectification, erasure, or restriction.
Data subject entitled to recieve:
-The purposes of the procssing
-Categories of PD concerened
-Recipients/categories of recipients
-Period of storage/ criteria to determine storage period
-Existence of right to rectification/ right to erasure/ right to object / right to restriction
-Right to lodge complaint with supervisory authority
-Any info about source if not from data subject
-Existence of automated decision making, profiling - Article 22(1) & (4) - significance/consequence
What must organisations do if they have disclosed personal data to third parties and the data subject exercises their rights?
Notify those third parties of the data subject’s exercise of their rights.
What is the right to rectification under the GDPR & which article?
Article 16 - The right to have inaccurate personal data corrected.
What is the right to erasure & which article of the GDPR?
-Article 17
The right to have personal data erased under certain conditions.
-If data no longer needed, lawful basis is consent & nothing else, data subject exercises right to object, data processed unlawfully, erasure necessary for compliance with EU/MS law