Lecture 5 & 6: Data Subject's Rights Flashcards
What does not require a request from the data subject? (related to their rights, but it is an obligation of a controller)
Art. 13 & 14: Obligation to inform
When can the requests of the data subject result in fees for the data subject?
The controller can charge a reasonable fee taking into account the administrative costs of providing info or communication or taking the action requested, or they can refuse to act on their requests when the requests are unfolded or excessive
What does the right to Transparency of Article 12 entail?
The controller shall take appropriate measures to provide any information referred to in Art. 13 and 14 and any communication under Art. 15 to 22 and 24 relating to the processing of personal data to the data subject in a manner that is:
- concise
- transparent
- intelligible(using clear and plain language, in particular for any information addressed specifically to a child)
- easily accessible
btw: The element “easily accessible” means the data subject should not have to seek out the information
When should the information referred to in Art. 13 and 14 and any communication under Art 15 to 22 and 24 relating to the processing be communicated to the data subject?
The information shall be provided in writing, or by other means, including, where appropriate, by electronic means at the time when personal data is obtained.
or
Within one month, if collecting from a third party
What should a controller do when he wants to further process the personal data he collected for a previous purpose?
If the controller decides to further process the personal data for a purpose other than that for which the personal data were obtained, the controller must provide the data subject with info on that purpose and with all the relevant info.
Art. 13 and 14 are about the Duty to Inform the data subject. What should the data subject be informed about?
- Identity and contact details of the controller, and if applicable, the controller’s representative
- Contact details of data protection officer
- Purposes of the processing, as well as the legitimate basis
- If the processing is based on legitimate interests, the data subject must be informed with which legitimate interest is pursued by the controller or the third party
- The categories of personal data concerned (only third party collection)
- Source; (only third party collection)
- the recipients or categories of recipients of the personal data, if any
- where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards
- The period for which personal data will be stored, or if not possible, the criteria used to determine this period.
- the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability
- If the processing is based on consent, the subject must be informed that he has the right to withdraw consent at any time.
- The right to lodge a complaint with a supervisory authority at any time
- whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data
- the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
When is the controller exempt from the duty to inform?
- The data subject has already been informed
- Disproportionate effort / information would render impossible or seriously impair the achievement of the objectives of the processing
- Obtaining or disclosure of personal data is expressly laid down by Union or Member State law to which the controller is subject and which provides appropriate measures to protect the data subject’s legitimate interests
- The personal data must remain confidential subject to an obligation of professional secrecy regulated by Union or Member State law, including a statutory obligation of secrecy.
Just click “reveal answer” to see some examples of poor practices
- “We may use your personal data to develop new services” (as it is unclear what the “services” are or how the data will help develop them);
- “We may use your personal data for research purposes (as it is unclear what kind of “research”this refers to); and
- “We may use your personal data to offer personalised services” (as it is unclear what the “personalisation” entails).
the use of may, might should be avoided
What does Art. 15 “the right to access” entail?
Individuals have right to access their personal data
This is often referred to as subject access
An individual only has the right to access their own personal data, unless this data is linked with data of other persons, or the subject is acting on behalf of someone else.
Individuals can make a subject access request verbally or in writing
What is the maximum amount of time a controller should reply to a request?
1 month
What does Art. 16 “the right to rectification” entail?
The GDPR includes a right for individuals to rectify incorrect or missing data. Personal data is inaccurate if it is incorrect or misleading to any matter of fact.
What does Art. 17 “the right to erasure”/ “the right to be forgotten” entail?
Individuals can make a verbal or written request for their data to be erased
Art. 17 “the right to erasure” is not the only way in which the GDPR places an obligation on you to consider whether to delete personal data. Do you remember which other one states that you should delete personal data? In which circumstances?
The basic principles. You should not keep the data longer than it is necessary. Principle: Data Minimisation
When does the right to erasure apply?
- The personal data is no longer necessary for the purpose which you originally collected or processed it for;
- You are relying on consent as your lawful basis for holding the data, and the individual withdraws their consent;
- You are relying on legitimate interests as your basis for processing, the individual objects to the processing of their data, and there is no overriding legitimate interest to continue this processing;
- You are processing the personal data for direct marketing purposes and the individual objects to that processing;
- You have processed the personal data unlawfully (ie in breach of the lawfulness requirement of the 1st principle);
- You have to do it to comply with a legal obligation; or
- You have processed the personal data to offer information society services to a child.
What does Art. 18 “Right to restriction of processing” entail?
Individuals have the right to, verbally or in writing, request a restriction of processing in the following circumstances:
- the individual contests the accuracy of their personal data and you are verifying the accuracy of the data;
- the data has been unlawfully processed (ie in breach of the lawfulness requirement of the first principle of the GDPR) and the individual opposes erasure and requests restriction instead;
- you no longer need the personal data but the individual needs you to keep it in order to establish, exercise or defend a legal claim; or
- the individual has objected to you processing their data under Article 21(1), and you are considering whether your legitimate grounds override those of the individual.