Module 5 - Data Subject Rights Flashcards
What are a data subject’s eight rights under GDPR?
Right to:
- Access;
- Rectification;
- Stop processing;
- Erasure / ‘to be forgotten’;
- Portability;
- Restriction;
- Objection;
- Not to have decisions solely based upon automated decision-making / profiling.
What does the right to access comprise (‘DSAR’)?
- Confirmation of processing and access.
- Processing-related information - purpose, data categories, recipients, retention period, any additional DS rights, source any any automated decision-making.
How quickly must a DSAR be processed?
- Without undue delay and within one month.
- Two-month delay may be justified and confirmed for complex or burdensome requests.
- EDPB: Applicant need not provide a reason for the request.
What are the limitations of a DSAR?
- DSAR must disclose requester.
- Manifestly unfounded or requests that request the access right are not competent.
- Request scope restricted by the third party rights and freedomes (recital 63, GDPR - trade secrets and IP similarly restricted from disclosure).
What is the right to rectification under article 16, GDPR?
- Must be made without undue delay.
- May be made to CORRECT INACCURATE DATA or COMPLETE INCOMPLETE DATA.
What is the right to data portability under article 20, GDPR?
- Available if CONSENT or CONTRACT PERFORMANCE used as lawful processing grounds.
- Extension of ACCESS RIGHT.
- Applicable only to DIGITAL DATA and cannot affect the rights and freedoms of others.
- Entails transfer of data to data subject or ANOTHER CONTROLLER in structured, commonly-used and machine-readable formatted data.
- Data portability does NOT TRIGGER ERASURE.
What is the right of erasure and ‘to be forgotten’ under articles 17 / 19, GDPR?
- Comprises CESSATION OF PROCESSING and DELETION OF PERSONAL DATA.
- Not absolute right - exercisable only if:
1. Data NO LONGER NECESSARY;
2. If consent has been provided, CONSENT IS WITHDRAWN;
3. If legitimate interests-based processing is relied upon, OBJECTION IS COMMUNICATED;
4. Processing is UNLAWFUL;
5. Consent is withdrawn for a child in relation to information society services; OR
6. Compliance with EU and MS law. - Right to have public data erased exists in terms of data made public by controller.
- Right requires notification to other link-hosting controllers that DS has requested erasure (Google Spain v. AEPD / Gonzalez).
What does the right of restriction prescribe under article 18, GDPR?
- Ongoing storage of data without any other further processing.
- Reconciles a requirement to store data, with DS rights and any public interest.
- Once restricted, further processing only possible only with:
1. New DS consent;
2. To establish or defend legal claims;
3. To protect another; or
4. For important public interest reasons. - Controller must inform DS before lifting restriction.
What is the right to object to processing provided under article 21, GDPR?
- Relevant in three settings, where processing based upon:
1. Public or legitimate interest - NOT ABSOLUTE - OVERRIDE POSSIBLE if controller proves COMPELLING, LEGITIMATE INTEREST that OVERRIDES DS INTERESTS, rights and freedoms.
2. Research of statistical purposes - NOT ABSOLUTE - OVERRIDEN if processing NECESSARY FOR TASK PERFORMED IN PUBLIC INTEREST.
3. Direct marketing - ABSOLUTE - marketing and profiling must cease.
What are the exemptions to the right not to be subject to a decision or profiling based solely on automated processing (producing legal effects upon the DS or significantly affecting the DS) under article 22, GDPR? (/ profiling)
- Three chief exemptions:
1. Explicit consent - check EDPB guidance;
2. Necessity for conclusion or performance of a contract; or
3. Relief under MS law. - For special category personal data, two chief exemptions:
1. Explicit consent - check EDPB guidance; or
2. Substantial public interest based upon EU or MS law. - SAFEGUARDS must be put in place; the right is particularly robust for processing of children’s data.
- EDPB guidance - provide MEANINGFUL INFORMATION ABOUT LOGIC involved; consider use of PROFILES TO ALLOW DS CORRECTION OF INACCURACIES; explain RIGHT TO OBJECT.
