This update aims to provide you with a practical overview of the most relevant changes resulting from the General Data Protection Regulation (GDPR), applicable as from 25 May 2018. This month’s issue discusses (new) rights of the data subject:
- Enhanced right to information and transparency
- Right of access and rectification
- Right to erasure or “right to be forgotten”
- Right to restriction
- Right to data portability
- What do these changes mean for you organisation?
1. Enhanced right to information and transparency
Under the current Data Protection Directive, data subjects need to be informed about:
- the controller’s identity,
- the processing purposes,
- the categories of data concerned,
- the recipients of the data and
- the existence of the right to access and rectify personal data.
Under the GDPR, controllers will see their obligation to inform the data subject enhanced as they will also have to inform the data subjects about:
- the envisaged retention period of the personal data,
- their right to withdraw their consent at any moment,
- as well as their right to lodge a complaint.
The GDPR specifically requires that the information is provided to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, especially when the information is addressed to a child.
2. Right of access and rectification
Although these rights already exist under the current Data Protection Directive, under the GDPR they get a new dimension which implies additional obligations for data controllers.
The right of access grants the data subject the right to obtain confirmation from the controller as to whether his/her personal data is being processed. The controller will have to grant access to that personal data and to provide the data subject with a copy of the data upon request. Furthermore, the controller will have to provide information concerning i.e. the purpose of the processing, the categories of data that are being processed, the recipients of the data (in particular if they are located in third countries), the type of processing (automated or not).
If a data subject discovers errors in the personal data that is being processed by a controller, he/she has the right to rectification of the data without undue delay. Likewise, the data subject has the right to complete the data if it is incomplete.
3. Right to erasure or “right to be forgotten”
Following the CJEU’s ruling of 13 May 2014, also known as the “Google Spain” case[1], the GDPR has further strengthened this right which has now force of law. In particular, the data subject will have the right to request erasure of his/her personal data on several grounds. These include the following situations: (1.) when processing is no longer necessary for the intended purpose; (2.) when the data subject withdraws his/her consent; (3.) when the data subject objects to the processing and there are no overriding legitimate grounds for the processing; (4.) when the processing is unlawful; (5.) when erasure is necessary for compliance with a legal obligation; or (6.) when the data concerns a child and has been collected via information society services.
In addition to erasing the data, the controller who has made the personal data public is required to take reasonable steps, including technical measures, to inform other concerned controllers of the request to erase any link to, copy or replication of this personal data.
4. Right to restriction
Instead of requesting erasure, a data subject can also request a restriction of the processing of personal data. Restriction can be requested i.e. in case the personal data is inaccurate, or unlawful, or pending a decision on a complaint lodged by the data subject.
Where processing has been restricted, the data controller can in principle only store the personal data. Any further processing is only possible with the consent of the data subject or in a limited number of situations expressly listed in the GDPR.
5. Right to data portability
New under the GDPR is also the right to data portability. When personal data is subject to automated processing on the grounds of consent or a contractual agreement, the data subject is allowed to request that the controller provides a copy of the data concerned in a structured, commonly used, and machine-readable format. This is meant to allow the data subject to transmit those processed personal data to another controller (of his choice) without hindrance of the controller that collected the data in the first place.
6. What do these changes mean for your organisation and how can you prepare for them?
Revise privacy policies to ensure that all your obligations are covered and that rights of the data subjects are expressed in a clear, intelligible and accessible way.
Set up internal procedures and protocols for handling requests of data subjects, in particular those concerning access to personal data, rectification or completion, and restriction of processing. Such protocols should also cover procedures to verify the data subject’s identity.
Consider the implementation of user interface systems.
[1] For more information on this case, please read the press release of the CJEU:http://curia.europa.eu/jcms/upload/docs/application/pdf/2014-05/cp140070en.pdf