Data Subject Rights (5)

Question 1

What rights are granted to data subjects under Access?

Answer 1

1. confirmation of processing
2. information about processing
3. access to the personal data

Question 2

What are the 3 considerations of fulfilling a data subject right to access in terms of cost, format and content?

Answer 2

1. A controller may charge a reasonable fee for further copies
2. Provided in a commonly used electronic form (unless otherwise requested)
3. Cannot adversely affect rights and freedoms of others

Question 3

What are the two types of data subject rights to rectification?

Answer 3

1. correction (objectively or subjectively)
2. completion

Question 4

What are the three questions to ask when fulfilling a request to access or rectification?

Answer 4

1. Can we verify the identity of the data subject?
2. Will this affect the rights and freedoms of others?
3. Is the request unfounded or excessive?

Question 5

What is the right to portability?

Answer 5

the right to receive personal data or have it transferred to another controller

applies where consent or performance of a contract is used as lawful grounds for processing

Question 6

What are the limitations on responsibility of the controller following a portability request? (they do not….)

Answer 6

Assume responsibility for processing activities of recipient

Do not have to erase

Question 7

What is interoperability?

Answer 7

formats that enable data portability

*does not imply controllers must maintain technically compatible systems

Question 8

What are the cumulative conditions to exercise data portability?

(article 29 working party)

Answer 8

1. PI processed automatically on the basis of consent or performance of a contract
2. PI concerning and from the data subject
3. Does not adversely affect the rights and freedoms of others

Question 9

Is the right to erasure an absolute right?

Answer 9

No

Question 10

What is the difference between erasure and right to be forgotten?

Answer 10

Right to be forgotten is the right to ensure the information is erased by third parties, including links, copies and replications

Question 11

What are the obligations of the controller under the Right to be Forgotten?

Answer 11

The controller must inform other controllers that the data subject has requested erasure. Burden on controller to remove the data

Question 12

What are the grounds to exercise a right to erasure (right to be forgotten)?

Answer 12

1. when data no longer necessary for purpose
2. data subject has withdrawn consent
3. data subject objects to processing (basis was legitimate interest)
4. processing was unlawful
5. erasure required to fulfill legal obligation (member state law)
6. data was collected in relation to info society (internet) from a child based on consent

Question 13

What are the exceptions to right to erasure / be forgotten?

Answer 13

freedom of expression

compliance with a legal obligation

public interest in the area of public health

archiving purposes

establishment, exercise or defense of legal claims.

Question 14

What are 4 circumstances in which a data subject exercise their right to restriction of processing (article 18)?

Answer 14

1) when processing is unlawful but data subject prefers restriction to erasure

2) when accuracy is contested and controller needs time to verify

3) when controller no longer needs data but data subject needs it for legal claim

4) when data subject objects to processing pending controller’s verification

Question 15

Under what conditions can data be further processed once exercised the right to restriction of processing?

Answer 15

New consent
Exercise or defend legal claims
Protect rights of another person
Important public interest reasons

Question 16

What is the definition of the right to restriction of processing?

Answer 16

Personal data is stored without further processing

Question 17

How can a controller fulfil a right to restriction of processing request?

Answer 17

1. move data to a separate system
2. mark data as DO NOT USE
3. temporarily remove published data

Question 18

When can you exercise the right to object to processing?

Answer 18

1. public interest or legitimate interest (not absolute, burden on controller to justify)
2. research or statistical purpose (not absolute, overridden if processing is necessary in public interest)
3. direct marketing (absolute)

Question 19

What are data subject rights related to automated decision-making under Article 22?

Answer 19

Data subject has the right not to be subject to a decision based solely on automated processing, including profiling, if decisions have legal and significant effects

Question 20

When can a data subject NOT exercise right to not be subject to automated decision making?

Answer 20

1) when processing is necessary to enter or perform contract
2) when authorized under union or member state law and safeguards in place
3) when data subject has given explicit consent

Question 21

When is automated decision-making permitted on special category data?

Answer 21

explicit consent
substantial public interest based
suitable measures in place

Question 22

What are the good practice recommendations for automated decision-making under Article 29?

Answer 22

provide meaningful information about logic involved
WP29 guidelines on consent
implement mechanism to check profiles and correct
make clear to data subject their right to object
appropriate safeguards

Question 23

What is profiling ?

Answer 23

automated processing of personal data for the purpose of evaluating, analyzing and predicting personal aspects relating to a natural person

Question 24

What are examples of profiling/targeting?

Answer 24

adware (software on user computer)
cookies (piece of text web server can store on hard drive)
beacon (passes information from user computer to website)
digital fingerprint (end user device identification)

Question 25

Which data subject right provides data subjects with entitlements to certain information from controller upon request?

Answer 25

Right to Access

Question 26

What 8 kinds of information about processing can be obtained when exercising a right to access?

Answer 26

1. purpose of processing
2. categories of personal data
3. recipients of data (including countries and IOs)
4. retention period
5. rights to rectification and erasure and restriction or object
6. lodge a complaint with the SA
7. source of data
8. automated decision-making

Question 27

What are the cases where a data subject can exercise their right to object to processing of personal data? (3 cases)

Answer 27

direct marketing
public interest or legitimate interest
research or statistical purposes

Question 28

What right is granted to data subjects under article 15?

Answer 28

right to access

data subjects may request information from controllers about processing of their personal data

Question 29

In which circumstances (bases) can a data subject object to processing of their personal data?

Answer 29

1. when processing is conducted on the basis of controller’s legitimate interest
2. processing for direct marketing

Question 30

What is the required timeframe to respond to data subject requests upon receipt of request under Article 12?

Answer 30

One month

Can be extended to two months

Question 31

What does the Right to Information require to provide about controllers (Article 13)?

Answer 31

right to be provided with information that describes their relationship with the controller

controller identity, contact details, reasons for processing, legal basis and recipients of data

Question 32

What does the Right of Access grant data subjects? (article 15)

Answer 32

purposes of processing
categories of personal data processed
recipients or categories of recipients
period data will be stored
right to request rectification
right to lodge complaint to SA
source of personal information
existence of automated decision-making

Question 33

What does the EDPB ask of social media controllers regarding right to access?

Answer 33

implement mechanism for users to independently check profile - including data collected and sources

Question 34

What must a controller do if rejecting a request to rectification?

Answer 34

inform data subject without undue delay
inform reasons for not correcting
inform of right to complain to DPA

Question 35

What must a controller do if complying with a right to rectification if it has shared the data with third parties?

Answer 35

contact 3rd parties and inform them of the rectification

Question 36

For what reasons can a data subject request their data to be erased? (right to be forgotten)

Answer 36

1. data no longer needed for original purpose
2. data subject withdraws consent
3. controller has no overriding grounds for continuing processing
4. data has been processed unlawfully
5. erasure is necessary for compliance with EU law

Question 37

When can organizations decline data subject requests to erasure?

Answer 37

1. when exercising right of freedom of expression and information
2. compliance with a legal obligation which requires processing by law
3. for establishment and exercise of legal claims

Question 38

When is a controller exempt from the obligation to to notify 3rd parties of data subject rectification, erasure or blocking?

Answer 38

if it is impossible to comply

would require disproportionate effort

Question 39

According to the EDPB, what considerations must be taken into account when applying article 17 (right to be forgotten) to search engine results?

Answer 39

content will only be delisted that appears in searches for the data subject’s name

delisting does not result in personal data being erased

Question 40

When can search engines refuse to delist content following a data subject request?

Answer 40

1. can demonstrate its inclusion is strictly necessary for protecting freedom of information
2. processing is necessary for compliance with a legal obligation
3. processing necessary for performance of public interest
4. search engine can demonstrate delisting is a serious obstacle or prevents archiving, research or statistical purposes

Question 41

What are the 4 conditions under which data subjects exercise their right to restrict processing?

Answer 41

1. accuracy of data is being contested
2. processing is unlawful
3. controller no longer needs data for original purpose but data still required by data subject for legal rights
4. verification if legal grounds of controller override rights of data subject

Question 42

What is the right to data portability? (Article 20)

Answer 42

data subjects have the right to receive their own personal data, which they have provided to a controller, in a structured, commonly used and machine-readable format

and, the right to transmit the data to a controller without hindrance

Question 43

What are 2 methods a controller can hand over data to a data subject (right to portability) per Article 20?

Answer 43

1) hand the data over to data subject in a usable fashion

or

2) transfer data to a recipient of data subject’s choice

Question 44

Is there a formal process to submit a right to object to processing?

Answer 44

no, requests can be made verbally or in writing, to any part of the organization and need not say specifically “objection to processing”

Question 45

When does the right to not be subject to automated decision-making apply?

Answer 45

if a decision is based solely on automated processing and produces legal effects concerning the data subject or significantly affects them

Question 46

If a data subject request for erasure is valid, how soon must the controller commence with erasure?

Answer 46

without undue delay

Question 47

What must a controller do in the case of a request for erasure if they have made the data public?

Answer 47

take reasonable steps to inform other controllers of the erasure