Data Subject Rights

Question 1

List data subject rights under GDPR

Answer 1

Rights to:

Access and rectification

Data portability

Erasure

Restriction of processing

Object to processing

Decisions based on automated processing

Question 2

Right to access and rectification (include GDPR article)

Answer 2

Article 15

Provides data subject with entitlements to certain information, obtainable from the controller upon request. Obtaining this information should be free of charge for the data subject, unless the controller is asked to make additional copies of data, in which case, a reasonable admin fee may be charged.

Question 3

What is the controller obligated to do with the right to access and rectification?

Answer 3

Verify the identity of the data subject and then once verified, provide the data in the same form it was requested

Question 4

What are some suggestions for the controller to have in place to comply with the right to access and rectification?

Answer 4

Not required, but having procedures in place for employees to follow in the handling of subject access and rectification requests can help ensure compliance. Procedures may concern the allocation of responsibilities, rules around authentication of the person making the request, the manner for submitting a request, the types of data that may not be disclosed, time limits for a response, and/or how to handle special circumstances. Companies should also make sure to have training, and sufficient resources in place, and a monitoring plan to ensure compliance

Question 5

What are some potential limitations to the right to access and rectification?

Answer 5

As set out in Article 16: the controller needs to take reasonable steps to verify the requester. Also includes the need to protect others’ rights and freedoms, including the data controller.

Personal data of a data subject that reveals personal data of another individual or that exposes confidential information may be exempt from disclosure.

Question 6

What does the GDPR allow data subjects to access in addition to a copy of their personal data?

Answer 6

Details that were provided up front in the privacy notice, including:

Confirmation of processing (i.e. confirmation that the personal data is being or was processed)

The purpose of the processing (why)

The categories of personal data processed (what)

Recipients or categories of recipients of the personal data (in particular those in third countries or in international organizations) (who)

The retention period or criteria used to determine the period (when)

Information about data subject rights to: rectification, erasure, restriction, object to processing, and lodge complaints with a supervisory authority.

Any information about the source of the data (if not the data subject)

The existence of automated decision-making and information about the logic involved and the consequences

Info about appropriate safeguards for data transferred to a third country or international organization

Question 7

Right to rectification timeline

Answer 7

Without undue delay, generally within one month

Up to two additional months with notification to the data subject with reason for the delay within one month of the request

Question 8

What must occur if the controller decides not to rectify the data?

Answer 8

Must provide the data subject the reason for not rectifying without undue delay and within one month of the request, and the data subject has the right to lodge a complaint with a supervisory authority and seek judicial remedy

Question 9

What is the right to data portability?

Answer 9

Right for an individual to write to an organization and request a copy of the information in a commonly structured and machine readable form

Question 10

When does the right to data portability apply?

Answer 10

Narrow applicability. It only applies if:
-the basis for processing is 1) consent or 2) contractual necessity

And it is only related to electronic processing and to personal data from the data subject, collected from the data subject themselves (not data derived/inferred from the data provided)

Question 11

What are the controller’s obligations with the right of data portability?

Answer 11

To provide the data in a structured, commonly used and machine readable format AND to help the individual transfer the data to another organization

Question 12

What is the purpose of the right to data portability and what are some benefits?

Answer 12

• The right for data subjects to “obtain and re-use ‘their’ data for their own purposes across different services
• Benefits: consumer empowerment, opportunities for innovation, and opportunities for sharing of personal data between data controllers in a safe and secure manner under the control of the data subject

Question 13

What does the exercise of the right to data portability allow?

Question 14

What is the right to be forgotten/erasure (include article)?

Answer 14

Article 17

Provides data subject right to request that their data be erased and therefore, no longer processed.

Question 15

When may a data subject request erasure?

Answer 15

Data subjects may request erasure if:

• The personal data is no longer processed for the purpose in which it was collected
• The processing is based on consent and the data subject withdraws that consent
• If the processing is based on the controller’s legitimate interest and the data subject objects to the processing
• If the processing is unlawful
• If the data must be erased for compliance with EU or member state law
• If consent was given when the data subject was a child and the consent is withdrawn

Question 16

What are exemptions to the right to erasure?

Answer 16

Member states may create exemptions for national security, crime prevention, and protection of others’ rights and freedoms (including the controller’s)

Compliance wit EU or member state law for a task in the public interest or as part of the controller’s official authority

Public health purposes

Archiving in the public interst, scientific or historical research, or statistical purposes (if erasure seriously impairs the objectives)

Establishment, exercise, or defense of legal claims

Also the exercise of the right of freedom and information

Question 17

Recital 66 to the GDPR (and potential difficulties)

Answer 17

Recital 66: Third-party follow up on the right to erasure
Applies when data has been made public by a controller.

If the data subject requests erasure in this case, the original controller must take reasonable steps to inform the controllers which are processing such personal data to erase any links to, or copies or replications of those personal data.

Potential difficulties:
Determining all of the data’s recipients, informing all other controllers (which may result in increased exposure), and objections from controllers based on the fundamental right to freedom of expression and information

Question 18

What is the right to restriction of processing (include article)?

Answer 18

Article 18

Right to Restriction:
Allows for personal data to continue being stored without being further processed. Provides an alternative to erasure if storing:
-is legally required
-ensures the protection of another person’s right
-is in the public interset

Article 4(3) defines restriction as: “the marking of stored personal data with the aim of limiting their processing in the future”

Question 19

What are some possible methods of restricting the processing of data?

Answer 19

Possible methods of restriction (not mandated):

• making the personal data temporarily unavailable
• noting the restriction in the system
• moving the data to a separate system
• using the data under narrow conditions

Question 20

When may a data subject request restriction of processing?

Answer 20

Data subjects may request restriction if:

• the accuracy of the data is contested and controller needs time to verify accuracy
• the processing of data is unlawful, but data subject prefers restriction to erasure
• Data is not needed by controller, but needed by data subject for legal claims
• Data subject objects to further processing pending the controller’s attempt to verify legitimate grounds

Question 21

When is restriction an alternative to erasure?

Answer 21

Provides an alternative to erasure if storing:

• is legally required
• ensures the protection of another person’s right
• is in the public interest

Question 22

What is a controller’s obligation to the data subject when lifting restriction?

Answer 22

Must inform a data subject before a restriction on processing is lifted

Question 23

Exceptions to the restriction on processing

Answer 23

Once restricted, personal data can only be processed with new consent from the data subject to:

• exercise or defend legal claims
• protect the rights of another person
• for public interest reasons

Question 24

When is the right to object applicable (include article)

Answer 24

Article 21

Only applicable if the data processing fall into one of three categories:

1) Direct marketing: data subject may object at any time to the processing of their personal data for direct marketing purposes. This right is absolute and should cause the controller to cease processing. Includes restricting profiling.
2) Public interest or legitimate interests: May object to processing based on the public interest or the controller’s legitimate interests based on grounds related to the individual’s particular situation. The controller then has the burden to demonstrate that it has compelling legitimate interests for processing the data that override the individual’s interests, rights and freedoms.
3) Research or statistical purposes: May object to processing based on these purposes on grounds relating to their particular situation. The right is overridden if the processing is necessary for the performance of a task carried out in the public interest.

Question 25

What does the GDPR say about automated processing (include article)?

Answer 25

Article 21:

Automated Processing: The data subject has the right not to be subject to a decision based solely on automated processing, including profiling. In other words, a prohibition on automated processing that applies to decisions that are based solely on automated processing without human intervention in a way that produces legal effects. Strictest with children.

Question 26

What is profiling?

Answer 26

Automatic processing of personal data for the purpose of evaluating, analyzing, or predicting personal aspects of a natural person if the decision significantly affects the data subject

Question 27

What are examples of behavioral profiling?

Answer 27

Adware: Software installed on user’s computer that monitors online behavior to target advertising to the user

Web cookie: Piece of text that a web server can store on a user’s computer hard disk and later retrieve to get information about the user

Web beacon: Passes information from a user’s computer to a third party website (can be delivered through browser or email). Commonly used for file download monitoring, ad campaign performance, reading of emails, etc.

Digital fingerprint: Can identify the end user device based on information revealed as part of a webpage request

Question 28

What are situations that allow for decision-making based solely on automated processing?

Answer 28

• decisions authorized by EU or member state law
• processing necessary to enter into/perform a contract between the controller and the data subject
• decisions based on the data subject’s explicit consent
• decisions based on special categories of data