WHAT RIGHTS DOES THE DATA SUBJECT HAVE?

If entities process personal data, different rights for data subjects directly arise from the processing. Some are regulated in Chapter III of the General Data Protection Regulation, which will become effective as of 25 May 2018. Further rights may stem from other legal provisions.

The rights of data subjects are presented in extracts below.

Right of Access

Right to Rectification

Right to Restriction

Right to Erasure

Right to object

Data Portability

THIS IS WHAT THE LAW SAYS.

Right of Access of the Data Subject, Art. 15 GDPR

Art. 15 GDPR grants the data subject a right of access in relation to the controller. Under this provision, the data subject may require the controller to provide a confirmation by means of which information must be made available as to whether or not personal data concerning him or her are being processed.

If the controller processes the personal data of the data subject, information about the personal data, the purposes of the processing, the categories of the personal data concerned, the recipients or categories of recipients to whom the personal data have been or will be disclosed as well as, where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period and the existence of the rights to rectification, erasure, restriction of processing or a right to object and the existence of the right to lodge a complaint with the supervisory authority shall be provided.

Where the personal data are not collected from the data subject, any available information as to their source shall be disclosed. In the case of automated decision-making, including profiling according to Art. 22 (1) and (4) GDPR, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject shall be communicated.

Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Art. 46 GDPR relating to the transfer. In addition, the controller shall provide a copy of the personal data undergoing processing.

Right to Rectification, Art. 16 GDPR

Art. 16 GDPR grants the data subject the right to rectification of inaccurate personal data concerning him or her. Under that provision, he or she has the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. In addition, the legislation grants the data subject the right to demand to have incomplete personal data completed, including by means of providing a supplementary statement.

Right to Erasure, Art. 17 GDPR

Art. 17 of the General Data Protection Regulation provides for the right to erasure, which is also known as the “right to be forgotten”. The provision grants the data subject the right to require immediate erasure of the personal data concerning him or her from the controller.

The legal requirement obliges the person responsible to immediately erase personal data upon request, if one of the following grounds applies:

a) The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

b) The data subject withdraws consent on which the processing is based according to point (a) of Art. 6(1) GDPR, or point (a) of Art. 9(2) GDPR, and where there is no other legal ground for the processing;

c) The data subject objects to the processing pursuant to Art. 21(1) GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Art. 21(2) GDPR;

d) The personal data have been unlawfully processed;

e) The personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;

f) The personal data have been collected in relation to the offer of information society services referred to in Art. 8(1) GDPR.

Furthermore, Art. 17 (2) GDPR provides that where the controller has made the personal data public and is obliged pursuant to Art. 17 (1) GDPR to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

These provisions are somewhat restricted by Art. 17 (3) GDPR. According to this provision, Art. 17 (1) and (2) GDPR shall not apply to the extent that processing is necessary (a) for exercising the right of freedom of expression and information; (b) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; (c) for reasons of public interest in the area of public health in accordance with points (h) and (i) of Art. 9 (2) GDPR as well as Art. 9 (3) GDPR; (d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Art. 89 (1) GDPR in so far as the right referred to Art. 17 (1) is likely to render impossible or seriously impair the achievement of the objectives of that processing; or (e) for the establishment, exercise or defence of legal claims.

Right to Restriction of Processing, Art. 18 GDPR

In Art. 18 GDPR, the European legislator regulates the right to restriction of processing. According to that provision, the data subject shall have the right to obtain from the controller restriction of processing where one of the following applies: (a) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data; (b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead; (c) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; (d) the data subject has objected to processing pursuant to Art. 21 (1) GDPR pending the verification whether the legitimate grounds of the controller override those of the data subject.

Where processing has been restricted under paragraph 1, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State

Pursuant to Art. 18 (2) GDPR, where processing has been restricted under Art. 18 (1) GDPR , such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

Furthermore, a data subject who has obtained restriction of processing pursuant to Art. 18 (1) GDPR shall be informed by the controller before the restriction of processing is lifted, Art. 18 (3) GDPR.

Right to Data Portability, Art. 20 GDPR

The right to data portability was standardized in Art. 20 GDPR. According thereto, the data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where: (a) the processing is based on consent pursuant to Article 6 (1) lit. a GDPR or Art. 9 (2) lit. a GDPR or on a contract pursuant to Art. 6 (1) lit. b GDPR; and (b) the processing is carried out by automated means.

Pursuant to Art. 20 (2) GDPR, in exercising his or her right to data portability pursuant to Art. 20 (1) GDPR, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.

It is clear from Art. 20 (2) 1 sentence GDPR the exercise of the right to data portability shall be without prejudice to the right to erasure (Art. 17 GDPR). Art. 20 (2) 2 sentence GDPR stipulates that the right to data portability shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Right to object, Art. 21 GDPR

Art. 21 GDPR regulates the right of the data subject to object. Pursuant to Art. 21 (1) 1 sentence GDPR, data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on Art. 6 (1) lit. e or lit. f GDPR.

In accordance with Art. 21 (1) 2 sentence GDPR, the controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

If the controller processes the personal data for direct marketing purposes, Art. 21 (2) GDPR grants the data subject the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.

Art. 21 (3) GDPR provides that where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

Art. 21 (4) GDPR obliges the controller at the latest at the time of the first communication with the data subject to explicitly bring the right referred to in Art. 21 (1) and (2) GDPR to his her attention clearly and separately from any other information.