Chapter 9 DS Rights

Question 1

List DS rights under GDPR

Answer 1

R. of transparent communication and information
R. of access
R. to rectification
R. to erasure (to be forgotten)
R. to restriction of processing
R. to object
R. to data portability
R. not to be subject to automated decision making
Obligation to notify recipients

Question 2

Is C obliged to confirm DS’s identity when they exercise DSR?

Answer 2

C must use reasonable efforts to verify the identity of DS

Question 2

What is the time frame to honour DS’ requests?

Answer 2

C should acknowledge the receipt of the request and confirm or clarify what is requested
Time frame for response: 1 month from receipt of the request, can be extended by 2 months in specific situations and/or especially complex requests.
During the 1st month the C must decide if it will act on DS request or not
If not - must inform and also advise on right to lodge a complaint with regulator

Question 3

How should requests be processed?

Answer 3

Electronically received req should be answered electronically except where the DS requests different format.

Question 4

What info must the C provide in relation to R. of access?

Answer 4

confirmation if it processes PD and if yes:
- purposes
- categories of PD
- recipients or categories (esp. 3rd countries)
- data retention period or criteria
- source if not from DS
- existence of r. to be forgotten, r. to object, r. to rectification and r. to restriction
- r. to lodge a complaint with SA
- existence of automated decision making, including P, logic involved and significance and envisaged consequences

Question 4

What should have a C in mind when setting up processes to answer DSAR?

Answer 4

time frame: 1 month, can only be prolonged in case of excessive or unfounded req.
Solution: ticketing system

doubt about identity: the processing of DSAR must be paused while identification takes place. C can only request information necessary to confirm identity

DSAR comes from a child: using plain and clear language; child’s maturity must be accessed if they can understand their rights - if not parents can exercise the child’s rights on their behalf

information includes information about others - info must be redacted or they must give consent

access req by proxies - e.g. attorney must provide proof of entitlement (eg. power of attorney) which must be documented

req. is excessive or unfounded - ask for reasonable fee or refuse to deal with the req. - C must justify the decision and must document the facts

Question 4

Explain the rules for advertising in regard to the targeting of social media users based on data they provided and insights generated by using such data

Answer 4

EDPB Guidelines 8/2020: the DS should be able to learn:
- identity of the targeter (whether the joint controller or recipient)
the C should facilitate access to information regarding targeting, including targeting criteria & information under Art. 15 (right of access)
- details of PD used for the profiling, including categories of data used to construct profile
- users should have a mechanism to independently check their profile’s information

Question 5

Explain r. of rectification

Answer 5

R. to rectification of inaccurate PD - must ne earsed, amended, rectified

Question 6

Are there any formal requirements to make a rectification request?

Answer 6

No, it can be verbally or in writing
C should provide means for the requests to be made by electronic means (recital 59)

Question 7

How much time does a C have to respond to the rectification request?

Answer 7

1 month

Question 8

Can a C refuse a rectification request?

Answer 8

Only in limited circumstances
DS must be informed without undue delay about the reasons, right to make a complaint with Data protection authority and right to seek judicial remedy

Question 9

Should the third parties be informed about the rectification of data?

Answer 9

Yes, if the data was disclosed to them
except if his proves impossible or requires disproportionate effort
this should be documented

Question 10

When can the DS exercise right to be forgotten?

Answer 10

data are no longer needed for original purpose and no new purpose exists
DS has withdrawn consent and no other legal basis exists
DS exercises right to object and C has no overriding grounds to continue processing
processing was unlawful
erasure is necessary under EU or MS law

Question 11

What are C’s obligations related to the RTBF in case the C made DS’s data public?

Answer 11

must take reasonable steps, including applying technological solution (taking costs into account) to inform 3rd parties which are processing published data as controllers

Question 12

Exemptions to RTBF?

Answer 12

When processing in NECESSARY:
for exercising the right of freedom of expression and information
for compliance with legal obligation or performance of a task carried out in public interest (public health, archiving, scientific or historical research or statistical purposes)
establishment, exercise or defense against legal claims

Question 13

Explain obligation to notify recipients (Art. 19)

Answer 13

If DS exercises r. to be forgotten, rectification or restriction(blocking) and where the C has disclosed PD to 3rd party recipients, the C must notify 3rd parties except if impossible or disproportionate effort (must be proven by C)

Question 14

Does erasure also include backup systems?

Answer 14

yes
Also, data it must be ensured can not be restored from backup system

Question 15

What is the Costeja case?

Answer 15

DS may request from the provider of online search engine to erase any links to webpages from the list of results displayed following the search made on the basis of their name (r. to request delisting: implies r. to erasure and r. to object)

r. to request delisting only applies if search is made based on the name, not on other criteria
PD is not completely erased - underlying data will remain

Question 16

What are the grounds to request delisting?

Answer 16

PD are obviously inaccurate (due to the course of time, or outdated, dependent on the initial purposes of the original processing)
DS object to processing and there are no overriding legitimate grounds (search result creates considerable distress for DS or undermines DS reputation in personal life)
PD are unlawfully processed (the listing of personal information has been expressly prohibited by a court order)
PD have been collected in relation to offering of ISS to a child

Question 17

What are the exceptions to request delisting (search engine provider can refuse to delist)?

Answer 17

inclusion in the list of results is strictly necessary for protecting the freedom of information of internet users
processing in necessary for compliance with legal obligation or performance of a task in public interest or exercise of official authority
p. is necessary for the performance of a public interest
delisting is a serious obstacle or completely prevents archiving purposes in the public interest, scientific or historical research purposes or statistical purposes

Question 18

Similar right to restriction of processing under directive

Answer 18

the right to request the blocking of data - the C could keep the data but had to refrain from using it during the period for which right applied

Question 19

Reasons to exercise right to restriction

Answer 19

the accuracy of data is contested (for as long as it takes to verify accuracy)
the processing is unlawful but the DS requests restriction instead of erasure
data are no longer needed for original purpose but the DS needs them to establish, exercise or defend legal claims
the DS object to processing and the verification of overriding grounds is in process

Question 20

What can the C do in case of R. to restriction

Answer 20

temporarily move data to another processing system where is unavailable to users or from the website

Question 21

Can the data be processed during restriction?

Answer 21

Only stored unless
- DS has given consent to certain form of processing
- establishment, defence, exercise of legal claims
- protection of the rights of another person
reasons of important public interest
Any reason must be documented

Question 22

Can restriction be temporary?

Answer 22

Yes, e.g. for the time the C is verifying the accuracy or assessing overriding grounds.

Question 23

What does it mean to lift restriction?

Answer 23

If C makes s decision that the restriction is not necessary it must inform the individual before lifting it
It must include reasons

Question 24

Which other 2 rights is restriction most commonly connected to?

Answer 24

R- to object and rectification

Question 25

Explain right to portability

Answer 25

DS has the right to receive their own PD, which they have provided to the C, in a STRUCTURED, COMMONLY USED, MACHINE READABLE FORMAT.
Also, r. to transmit data to another C without hindrance from the C.
C must hand the data over to the DS in a usable fashion or at their request, directly to the recipient of their choice if technically feasible.

Question 26

What is the aim of r. to portability?

Answer 26

to facilitate DS’s ability to move, copy or transmit data easily from one IT environment to another (DS own system, another C, trusted 3rd party)
it prevents consumer lock-in
fosters opportunity for innovations and sharing of PD between Cs in a secure and safe manner, under DS’s control
C are encouraged to** develop interoperable formats** that enable data portability

Question 27

Risks for the C in case of data portability

Answer 27

adverse effect on the rights and freedoms of 3rd parties, e.g. if data to be ported includes PD about others
their concerns must be legitimate, not just hindrance

Question 28

Explain r. to object

Answer 28

DS has the right to object (on grounds in relation to his/her particular situation) if C processes PD based on its legitimate interest or 3rd party’s LI, or in case of performance of a **task carried out in the public interest **or in the exercise of official
authority vested in the controller, in both cases including profiling

PD are processed for direct marketing purposes, including profiling

Question 29

Who has the burden of proof in case of r. to object?

Answer 29

The C must demonstrate its compelling LI overrides the interests or fundamental R&F of DS (doesn’t apply to direct marketing, see below)
Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be
processed for such purposes.

Question 30

In what form the objection must be made?

Answer 30

No form prescribed; can be in writing or orally
To any part of organisation, doesn’t need to be titled as “objection”
burden for organisations, clear internal processes in place to recognize objections

Question 31

Explain compelling, legitimate grounds for the processing

Answer 31

must be sufficiently compelling to override the Interests or R&F of the DS or for defence, exercise, establishment of legal claims
WP29:
- must be lawful (based on EU/MS law)
- sufficiently specific - clearly articulated to allow the balancing test
- must not be speculative - must be representative of a real and present interest

Question 32

What is the C’s obligation to inform in terms of r. to object

Answer 32

r. to object must be brought to DS’s attention and presented clearly and separately from other information
at the latest at the time of the first communication

Question 33

Explain r. to object in relation to scientific or historical research purposes or statistical purposes

Answer 33

Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1), the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task
carried out for reasons of public interest.

Question 34

R. not to be subject to automated decision making - does it need to be actively invoked by DS’s?

Answer 34

No, it is a general prohibition for decision-making based solely on automated processing and it applies irrespective of DS’s actions.
it applies if the decision is made solely on automated processing and produces legal effects for the DS or significantly affects them

Question 35

What are exemptions for ADM to be allowed?

Answer 35

• authorised by law
• necessary for preparation or execution of a contract
• DS’s explicit consent
  + significant safeguards in place (specific information to DS, r. to obtain human intervention, r. to express his/her point of view, to obtain explanation of the decision and to challenge the decision)

Question 36

Restrictions of DS rights

Answer 36

EU or MS law
necessary to safeguard interests of national security, defence or public security