Seminar 13-15 - Rights of the data subjects

Question 1

Relevant provisions?

Answer 1

● Chapter III (art. 12-23)

Question 2

Can MS restrict the rights of the data subjects?

Answer 2

Yes, MS may restrict the data subject’s rights (art. 12-22) in accordance with art. 23.

Question 3

Name some rights of the data subject?

Answer 3

● Art. 12-14: Right of transparent communication and information
● Art. 15: Right of access
● Art. 16: Right to rectification
● Art. 17: Right to erasure
● Art. 18: Right to restriction of processing
● Art. 19: Obligation to notify data recipients of rectification, erasure of restriction on data subjects.
● Art. 20: Right to data portability
● Art. 21: Right to object
● Art. 22: Right not to be subject to automated decision making (ADM)
● Other

Question 4

What is GDPR art. 12: The right to transparent communication and information (“the principle of transparency”)?

Answer 4

● Art. 12 establishes a broad comprehensive obligation for controllers in providing transparent information referred to in art. 13 and 14 and any communication under art. 15-22 and 34 (notification of data breach to data subject).

Question 5

What is GDPR art. 13 and 14: The right to be informed ?

Answer 5

With the right of data subjects to be informed, where data are collected directly from them (art. 13) or where data are obtained from a third party (art. 14). Providing data subjects with this information puts them in a position to effectively exercise their rights and contributes to ensuring data quality.

Question 6

Are there any Exemptions from the obligation to inform ?

Answer 6

Yes, there is a list of exemptions:
Any exemptions must be necessary in a democratic society and proportionate to the aim pursued.

Example:
● GDPR art. 13(4): does not apply if the data subject already has all of the relevant information - the information shall be that provided in art. 13(1).

Question 7

What is GDPR art. 15 and Charter Art. 8(2): The right of access to an individual’s own data ?

Answer 7

Enhancing transparency and data control.

Question 8

What is GDPR art. 17: Right to erasure (‘the right to be forgotten’)

Answer 8

Gives effect to data subjects’ requests to have data erased or deleted.

Question 9

Name two cases that illustrates right to erasure?

Answer 9

See balancing in Google Spain (could be erased - DS had financial troubles), Manni (could not be erased - previous bankruptcy of his company - public interest)

Question 10

What is the main challenge with “right to erasure”?

Answer 10

Freedom of expression.

Question 11

What are the 5 exemptions to “right to erasure”?

Answer 11

■ (a) for exercising the right of freedom of expression and information
● See balancing in Google Spain (could be erased), Manni (could not be erased)
■ (b) for compliance with a legal obligation
■ (c) for reasons of public interest in the area of public health
■ (d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
■ (e) for the establishment, exercise or defence of legal claims

Question 12

What is GDPR art. 20: Right to data portability?

Answer 12

The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services (move, copy or transfer personal data).

Question 13

Are there any Sanctions? And where is that found in GDPR?

Answer 13

GDPR Art. 83 empowers MS’ supervisory authorities to impose administrative fines for infringements of the regulation.

Question 14

What are the tiers for fines under GDPR?

Answer 14

○ Art. 5, 6, 9, 7, 12-22 or 44-49: Up to € 20,000,000 or, in the case of an undertaking, 4 % of its total worldwide annual turnover (whichever is higher)
○ When other breaches: Up to € 10,000,000 or, in the case of an undertaking, 2 % of its total worldwide annual turnover (whichever is higher)

Question 15

What is the required time of providing data subject with information? And what are the two situations that can occur?

Answer 15

The GDPR distinguishes between two scenarios and two points in time at which the data controller must provide information to the data subject:

• Where the personal data is obtained directly from the data subject, the controller must notify the data subject about all of his or her related information and rights under the GDPR at the time the data are obtained.
• Where the personal data has not been obtained from the data subject directly, the controller is obliged to provide the information about the processing to the data subject “within a reasonable period after obtaining the personal data, but at the latest within one month”, or before data are disclosed to a third party.

Question 16

Name an example of how a controller provides information to data subjects?

Answer 16

One of the most efficient ways to provide information is to place appropriate information clauses on the controller’s home page, such as a website privacy policy.

Question 17

Name an example of the right to object?

Answer 17

For example, this may involve blocking cookies on web pages or turning off the tracking of internet browsing.

Question 18

What’s important to remember with regards to liability/compensation with controllers, joint controllers etc.?

Answer 18

It is sufficient to bring a case against one of the joint controllers, which may then be held liable for the full damage. In such cases, a controller or processor who pays the damage is subsequently entitled to recover the sum paid from the other entities involved in the processing and responsible for the violation

Question 19

What is Right to rectification – Art. 16?

Answer 19

According to art. 16, data subjects have the right to have their personal data rectified.

• accuracy principle
• completeness of data

Question 20

What does the right to data portability enhance?

Answer 20

• Enhance informational self-determination and empower DS
• Reduce switching costs for consumers and promoting competition
• Enhance the free flow of personal data (market integration objective)

Question 21

How fast should inaccurate personal data be rectified?

Answer 21

Inaccurate personal data must be rectified without undue or excessive delay.

Question 22

What is the fair processing principle?

Answer 22

Requires that information be easily understandable to data subjects. Language must be used which is appropriate for the addressees.

Question 23

Where are the corrective powers found in the GDPR? And what do they contain?

Answer 23

Set out in Article 58 of the GDPR.

They range from the issuing of orders, warnings and reprimands to controllers and processors, to the imposition of temporary or even permanent bans on processing activities.

Question 24

What are the Assessments when balancing freedom of expression (after Google Spain)?

Answer 24

● (i) contribution to a debate of general interest
● (ii) how well-known is the person concerned and what is the subject of the report
● (iii) prior conduct of the person concerned
● (iv) method of obtaining the information and its veracity/circumstances in which the photographs were taken
● (v) content, form and consequences of the publication; and

Question 25

Why are The concepts of controller, joint controller and processor important?

Answer 25

The concepts of controller, joint controller and processor are functional concepts in that they aim to allocate responsibilities according to the actual roles of the parties and autonomous concepts in the sense that they should be interpreted mainly according to EU data protection law.