Module 5: Data Subject Rights Flashcards
What are the data subject rights? (8)
Access Rectification Data portability Erasure Right to be forgotten Restriction Objection Rights relating to automated decision making and profiling
What is the right of access?
DSARs!
A data subject is entitled to a confirmation of processing and access to the data being processed.
They are also entitled to supplementary information:
Purpose of processing
Categories of personal data
Recipients
Retention period
Additional data subject rights
The source of personal data
Awareness of any automated decision making being used, if applicable
They are also entitled to know the appropriate safeguards for data transfers in place, and to a copy of their personal data.
What is rectification?
The correction of records of personal data, where believed to be objectively or subjectively incorrect, and the completion of records.
When might the right to rectification be restricted?
The right of rectification is restricted in certain circumstances under Section 60 of the Data Protection Act 2018, which provides for restrictions that are necessary for important objectives of public interest, and by Section 43 of the Act which seeks to balance the right of rectification with the right of freedom of expression and information
What is data portability?
Under Article 20: data subjects may be entitled to obtain their personal data from a controller in a format that makes it easier to reuse the information in another context and transmit the data to another controller without hindrance. I.e. it’s the right to move personal data from one company to another (e.g. bank account switching).
The right to data portability only applies when…
processing is carried out by automated means and the subject has either consented to the processing or the processing is conducted on the basis of a contract between the subject and the controller.
When the right to portability applies, the controller must provide and transmit personal data …
In structured, commonly used and machine readable format (i.e. it needs to be easily processed by a computer).
Under this right, a data controller can transmit a data subject’s data to another controller if such transmission is technically feasible.
What are the cumulative conditions of data portability?
Personal data being processed automatically on the basis of consent or the performance of a contract
Relates only to personal data concerning and from the data subject
The portability request does not adversely affect the rights and freedoms of others
What is the right to erasure?
The right to request that an organisation ceases processing and deletes personal information.
What is the right to be forgotten?
The right to ensure that information is erased by third parties, including links, copies and replications.
What is the right to restriction of processing?
The marking of stored personal data
When may the right to restriction of processing be applicable?
Sometimes used while a dispute is resolved or as an alternative to erasure
When lifting a restriction of processing, the controller has an obligation…
to notify the data subject and provide them with the opportunity to object.
What is the right to object processing?
A data subject’s right to object to data being processed when it’s processed for public interest or legitimate interests, research or statistical purposes or direct marketing purposes.
What is profiling?
Automated processing of personal data to evaluate, analyse and predict personal aspects relating to a natural person.