Data Subject Rights Flashcards

1
Q

List The Data Subject Rights

A
  1. Right to Be Informed
  2. Right of Access
  3. Right to Object
  4. Right to Correction
  5. Right to Erasure
  6. Right to Restrict Processing
  7. Right to Data Portability
  8. Right to Not Be Subject to Automated Decision-Making
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is the right to be Informed?

A

Data subjects have the right to be informed about the use to which their personal data will be put. This includes the right to be informed that their personal data is being collected.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is the right to access personal data?

A

A data subject can request confirmation from the data controller or processor on whether their personal data is being processed.

If it is, they have the right to
1. access the data and be
2. informed about the purpose of processing, the
3. categories of data,
4. recipients of the data,
5. the storage period, and the
6. data source if collected indirectly.12

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

How can a data subject exercise their right to access their data?

A

They can submit a request using Form DPG 2 as outlined in the First Schedule of the Data Protection (General) Regulations, 2021.
The data controller or processor must comply with this request within 7 days.23

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Is there a fee for accessing personal data?

A

No, compliance with a request for access to personal data is free of charge.4

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is the right to rectification?

A

A data subject can request the data controller or processor to correct any personal data that is
1. inaccurate,
2. outdated,
3. incomplete, or
4. misleading. 45

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is the process for requesting data rectification?

A

Data subjects can request data rectification using Form DPG 3 as provided in the First Schedule of the Data Protection (General) Regulations, 2021.4

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Is there a fee for requesting data rectification?

A

No, requests for rectification are free of charge.6

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is the right to erasure (right to be forgotten)?

A

A data subject can request the data controller or processor to delete their personal data in certain situations, such as
1. when the data is no longer necessary for the original purpose,
2. consent is withdrawn,
3. the data was unlawfully processed, or
4. the data subject objects to processing based on legitimate interests.789

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

How does a data subject request the erasure of their data?

A

They can submit a request using Form DPG 5 outlined in the First Schedule of the Data Protection (General) Regulations, 2021.10

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is the right to restrict processing?

A

The data subject can request the data controller or processor to restrict the processing of their personal data in specific situations.
This might include
1. when the accuracy of the data is contested,
2. processing is unlawful but erasure is opposed,
3. the data subject needs the data for legal claims, or
4. they object to processing based on legitimate interests.1112

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is the procedure for requesting restriction of processing?

A

A data subject can request restriction of processing by submitting Form DPG 1 outlined in the First Schedule of the Data Protection (General) Regulations, 2021.12

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

How does a data controller or processor handle a restriction request?

A

The data controller or processor must
1. respond within 14 days without charging a fee.

They should either
1. implement the request,
2. note the restriction in their system, and
3. notify relevant third parties or
4. decline the request if it’s unfounded or excessive.13

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What are the Data Handlers’ options for implementing a restriction of processing request?

A

They can
1. temporarily move the data to another system,
2. make it unavailable to third parties, or
3. remove published data about the subject from public platforms under their control.14

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What happens if a restriction request is declined?

A

The data controller or processor must notify the data subject in writing within 14 days, explaining the reasons for the refusal.15

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is the right to object to processing?

A

A data subject can object to their data being processed for a particular purpose or in a specific manner. This right applies absolutely when processing is for direct marketing, including profiling for direct marketing. In such cases, the data cannot be processed for those purposes.1516

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

How can a data subject exercise their right to object to processing?

A

They can use Form DPG 1 provided in the First Schedule of the Data Protection (General) Regulations, 2021.16

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What is the right to data portability?

A

A data subject can request to receive their personal data in a structured, commonly used, and machine-readable format and can transmit this data to another data controller or processor without hindrance.6

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

How does a data subject request data portability?

A

Data subjects can request data portability using Form DPG 4 as outlined in the First Schedule of the Data Protection (General) Regulations, 2021.6

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Can a data controller or processor charge a fee for data portability?

A

Yes, they can charge a reasonable fee not exceeding the cost to fulfill the request.6

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

How are the rights of children protected in data processing?

A

When data processing involves a child, a

parent or guardian must give consent.

The processing must be
1. lawful,
2. prioritize the child’s best interest, and
3. protect them from unauthorized access to their data.1718

22
Q

What are the obligations of data controllers or processors when a data subject exercises their rights through a representative?

A

The data controller or processor should act in the best interests of the data subject.
They should verify the representative’s identity, especially when acting on behalf of a child.
If there’s doubt about the relationship, they can restrict the request until proof is provided.919

23
Q

Can a data subject object to the processing of their data for direct marketing purposes?

A

Yes, a data subject has an absolute right to object to processing for direct marketing, including profiling related to direct marketing. In such cases, the data controller or processor cannot process the data for those purposes.1

24
Q

What happens if a data subject objects to processing, but the data controller claims legitimate interests?

A

If the right to object isn’t absolute and the data controller or processor believes they have a compelling legitimate interest that outweighs the data subject’s interest, they must:
Inform the data subject of the reasons for denying the objection.
Inform the data subject of their right to complain to the Data Commissioner
. 12

25
Q

Can a data subject request to be dealt with anonymously or pseudonymously?

A

Yes, data controllers and processors should facilitate requests from data subjects to interact anonymously or pseudonymously where it is reasonable and practical to do so.3

26
Q

When can a data subject request erasure of their personal data?

A

A data subject can request erasure when: The personal data is no longer needed for the reason it was collected.4
The data subject withdraws consent, and consent was the basis for processing.4
The data subject objects to processing, and there’s no overriding legitimate interest for continuing processing.4
The data is being used for direct marketing and the individual objects.4
Processing the data is unlawful.4
Erasure is necessary to comply with a legal obligation.4

27
Q

Is a data subject entitled to compensation for damage suffered due to data processing?

A

Yes, under Section 65 of the Data Protection Act, a data subject can be compensated for damage suffered because of a data controller or processor violating the Act.5

28
Q

Can a data controller refuse a request for erasure?

A

Yes, if processing is necessary for: <br></br> * Complying with legal obligations.6 <br></br> * Performing tasks in the public interest or exercising official authority.6 <br></br> * Reasons of public health.6 <br></br> * Archiving for public interest, scientific or historical research, or statistical purposes in accordance with the Act.6 <br></br> * Exercising or defending legal claims.6

29
Q

How should data controllers handle requests related to the rights of children?

A

Data controllers are obligated to verify the identity of anyone claiming to exercise data subject rights on behalf of a child. This ensures that the person is authorized and acting in the child’s best interests.7

30
Q

What measures are in place to ensure data security when a data subject exercises their rights?

A

Any person attempting to access or erase personal data through misrepresentation is subject to prosecution. This serves as a deterrent against fraudulent requests and protects data subjects from unauthorized access to or deletion of their data.89

31
Q

How can a data subject request access to their personal data?

A

A data subject may request access to their personal data using the provided form from the Data Protection (Civil Registration) Regulations, 2020.10

32
Q

What is the right to data portability and its limitations?

A

The right to data portability allows a data subject to receive their personal data in a commonly used and machine-readable format and transfer it to another data controller or data processor without obstruction. This right is not absolute and doesn’t apply when processing is necessary for public interest tasks or if it negatively impacts others’ rights and freedoms.1112

33
Q

What is the timeframe for a data controller to respond to a data portability request?

A

Data controllers must comply with data portability requests within 30 days at a reasonable cost. If the request is complex or involves a large amount of data, this period can be extended in consultation with the Data Commissioner.12

34
Q

Are there specific circumstances where a data protection impact assessment is necessary?

A

Yes, a data protection impact assessment is required for processing operations considered to present high risks to a data subject’s rights and freedoms. Examples include automated decision-making with legal implications, processing sensitive data, large-scale data processing, and systematic monitoring of public areas.13

35
Q

How does a data subject provide consent for data processing?

A

A data subject can give their consent through a written notice, an oral statement, or an audio or video message. It’s crucial that the data subject understands the information provided and the implications of consenting.14

36
Q

When is consent for data processing considered freely given?

A

Consent is not considered freely given when: <br></br> * It is presumed because the data subject didn’t object to a processing proposal.15 <br></br> * It’s a non-negotiable part of the terms and conditions.15 <br></br> * The data subject faces disadvantages if they refuse or withdraw consent.15 <br></br> * The data controller or processor combines multiple processing purposes without specific consent for each purpose.15 <br></br> * The data subject’s intention is unclear or ambiguous.1516

37
Q

Can a data subject withdraw consent for data processing?

A

Yes, a data subject can withdraw their consent at any time. However, this withdrawal does not affect the legality of processing based on consent given before the withdrawal.16

38
Q

How do data controllers handle the withdrawal of consent?

A

When a data subject withdraws consent for a specific part of processing, the data controller or processor must stop processing data related to the withdrawn consent, unless other legal grounds for processing exist.16

39
Q

When can a data subject request restriction of data processing?

A

A data subject can request restriction when: *They dispute the accuracy of their personal data.17
* The data was processed unlawfully, and they oppose erasure, preferring restriction instead.17
* They no longer need the data, but the data controller needs it for legal claims.17
*They’ve objected to processing, and the controller is evaluating whether legitimate grounds override the data subject’s interests.18

40
Q

What is the right to rectification, and when can it be exercised?

A

The right to rectification enables a data subject to have their personal data corrected if it is inaccurate, out-of-date, incomplete, or misleading. This right is essential for maintaining the quality and integrity of personal data held by data controllers and processors.19

41
Q

What happens when a data subject suspects a data breach?

A

When a data subject suspects a data breach, they should make a report to the Data Commissioner using Form DPC 3 as outlined in the Data Protection (Complaints Handling and Enforcement) Regulations, 2021. The report should include details like the data involved, the nature of the breach, and any available evidence.2021

42
Q

What obligations do data controllers have regarding data retention?

A

Data controllers must retain personal data only for as long as necessary to fulfill the purpose for which it was collected. Unless legally required, they should delete, erase, anonymize, or pseudonymize unnecessary personal data. This minimizes risks and safeguards data privacy.22

43
Q

What is the right to Not Be Subject to Automated Decision-Making?

A

Every data subject has a right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or significantly affects them. There are some exceptions to this right, such as when the decision is necessary for entering into or performing a contract.

44
Q

How can I request access to my data?

A

Submit a request in Form DPG 2.1

45
Q

How can I request to rectify my data?

A

Submit a request in Form DPG 3.2

46
Q

How can I object to data processing?

A

Apply to the data controller or processor in Form DPG 1.3

47
Q

How can I restrict processing of my data?

A

Submit a request in Form DPG 1.4

48
Q

How can I request erasure of my data?

A

Submit a request in Form DPG 5.5

49
Q

How do I request to port my data?

A

Make a request in writing, potentially using Form DPG 4.6

50
Q

How do I restrict direct marketing?

A

Make a request to the data controller or processor to restrict the use or disclosure of your data for direct marketing. You do not have to pay a fee for this request. This can be done in writing.7

51
Q

How do I make a general complaint?

A

Lodge a complaint with the Data Commissioner in writing or orally (it will then be put in writing). You may use Form DPC 1.8 You may lodge a complaint in Kiswahili, English, or Kenyan Sign Language.9

52
Q

Can someone lodge a complaint for me?

A

Yes, if you are a minor, have a mental or other disability, or authorize someone to act on your behalf.81011