CIPPE Module 5 - Data Subject Rights Flashcards
What are data subject rights?
- Rights of access and to rectification
- Data Portability
- Erasure/Right to be forgotten
- Restriction of processing
- Right to object to processing
- Decisions based on automated processing
Key points to note on rights of access and rectification
Right to get access to your information
Right to correct incorrect data
Understand why, who and what data about you is being processed
No undue delay - 1 month; possible to get extensions of up to two months.
Key points to note on data portability
Ability to move from one service to another with their personal data
Example - move from Flickr to Google Photos
Controller must help data subjects
If technically feasible, they must directly port it over to the new controller.
Narrow applicability: Only relates to electronic processing; applies only to data collected from the data subject themselves; applies only if the processing is based on consent or contractual necessity.
In other words, if you are processing personal data for legitimate interests you don’t have to cater for data portability.
Key points on Right to Erasure:
Data subjects may (under certain circumstances) request that their personal data be erased. These circumstances are
a) Personal data is no longer necessary for the purpose for which it was collected.
b) Personal data processing is based on consent that is now withdrawn
c) Legitimate interests of the controller cannot be demonstrated to override personal interest of the Data Subject
d) Unlawful
e) Data subject was a child when consent was given
If controller has published data publicly then all other controllers who have received it must also erase this data. Original controller is responsible for ensuring this.
What are a few exceptions to the right to erasure?
- Compliance with EU or member state law; public interest; official authority
- Public health purposes
- Archiving for public interest, historical research; statistical purpose
- Defense of legal claims.
- Freedom of expression and freedom of others.
Key points on restriction of processing
- Distinct from right to erasure
- Personal data is stored without being further processed
- Maybe needed for legal purposes, protect the freedom of others
- Mark the data; move to a new DB
It may be necessary to restrict processing under certain conditions:
a) DS contests accuracy and DC needs time to verify
b) It is not needed by DC, but DS wants it for legal claims
c) It is unlawful and DC needs time to establish legal basis
There are some exceptions:
* It may be necessary to lift the restriction to protect another’s rights, public interest, legal claims
* In such a case, DC must inform DS
Key points on “right to object to the processing”
Data subject may object to processing only under certain conditions:
a) If the processing is for marketing purposes
b) Based on public interest or the controller’s legitimate interest - controller must demonstrate its legitimate interest that overrides data subjects rights
c) object to processing for scientific or historical research; overridden if the processing is necessary for public interest.
Key points on “Automated processing”
Right of DS not to be subjected to a decision based solely on automated processing.
This includes profiling
WP29 recommends providing information on algorithms in understandable terms; allow DS to check their profiles and correct them, help DS understand the right to object; implement quality checks to ensure individuals are treated fairly
What are techniques used to profile?
Adware
Web cookie
Web Beacon
Digital Fingerprint
What are some exception to automatic processing?
Decision based on automatic processing is permitted under the following circumstances:
a) Decisions authorized by EU law
b) Processing necessary to enter into contract (e.g. insurance risk or credit risk) - but data subject rights must be protected
c) decision based on subject’s consent
