The Rights of Data Subjects Under GDPR, Explained
The European Union's (EU) data protection laws, known jointly as the General Data Protection Regulation (GDPR), are regarded by many as the highest standard of data protection available to consumers today. But does this statement merit any truth? Absolutely! The GDPR remains one of the most comprehensive sets of regulations related to tech out there. The EU adopted the GDPR in 2016, and this regulatory body takes the job of protecting online consumers seriously. Where did the GDPR get its start? It replaced the 1995 Data Protection Directive, first adopted when the internet remained in its infancy. But what rights do data subjects have according to the GDPR? Here's what you need to know.
Rights of Data Subjects Under the GDPR
What rights do data subjects have enumerated by the GDPR? The regulation grants consumers a range of specific data subject terms. They relate to personal data and how to handle it under particular circumstances. What do these fundamental privileges include according to the GDPR? Consumers have:
- The right to access
- The right to rectification
- The right to erasure
- The right to restriction of processing
- The right be informed consent
- The right to data portability
- The right to object
- The right to not be subject to a decision based solely on automated processing
All of the equities listed above relate specifically to EU data subjects. Like HIPAA regulations in the US, companies and their employees must comply with the GDPR when dealing with overseas data. Otherwise, they risk monetary repercussions. Find out more about popular courses designed for employees. These courses provide business owners with peace of mind and safeguards against consumer data violations. Would you like to take a closer look at each of these eight rights and what they grant consumers? Keep reading as we explore each power and its implications in terms of business and online commerce.
The Data Subject's Right #1: Access
What does the GDPR mean when it comes to access? Data subjects have the right to access the personal information collected about them. In other words, if a data subject asks, the company gathering the data must furnish this information.
What Data Access Covers
To what does a data subject ultimately have access? Data includes:
- Supplementary information (e.g., mandatory privacy information)
- Confirmation of data processing
- A copy of the personal data processed
How long does a company have from the time they receive a request to provide information? One month.
How should requests get formatted? Permissible verbal and written requests include:
- Web forms
- Phone calls
Where should these requests go? The GDPR doesn't stipulate addressing requests to any department within a business. What's more, the request doesn't have to contain the phrase "subject access request." But it must request personal data. It must also come from a verifiable citizen of the EU.
Who Can Request This Data?
Who can request this information? The individual whose personal data gets used. What's more, someone acting on behalf of another (whose data remains in question) may also submit a request. Consumers may even request data about another person if they can prove it directly relates to them.
The Data Subject's Right #2: Rectification
What other rights does the GDPR guarantee to data subjects? When personal data proves inaccurate, consumers have the right to demand corrections. Controllers must carry out these corrections. Besides rectifying errors, consumers may request that inaccurate or incomplete data gets erased. Again, companies have one month to comply with a request. Acceptable formats include verbal and written communications.
The Data Subject's Right #3: Erasure
Consumers from the European Union also have the right to have their data forgotten. In other words, they may request the erasure of their information from data banks. Which data may fall under the right of erasure? They may include:
- Data unlawfully processed
- Data no longer required for the original purpose
- Data that relies on consent since withdrawn
- Data about a consumer exercising their right to object
When it comes to data a company no longer needs for its original purpose, a caveat exists. If a company can show a new, lawful purpose for retaining the data, the GDPR may permit it. What's the takeaway when it comes to the right of erasure? It encompasses many protections outlined in various national and EU-based pieces of legislation. Companies must comply promptly with erasure demands or face significant fines.
The Data Subject's Right #4: Restriction of Processing
European consumers also have the right to limit the processing of personal information. But some rules and exceptions to these rights may apply. When can EU consumers request restricted processing of personal data? When one of the following conditions gets met:
- The consumer believes the data is inaccurate
- The consumer claims unlawful processing, but they don't wish for data erasure
- The company no longer needs the data, and the consumer requires it to exercise a legal claim
- The company remains in the process of verifying overriding grounds related to an erasure request
What happens when a company receives a restriction to processing request? The company will retain the right to store the data. But it won't be permitted to carry out any processing on said data. What else must companies remember when it comes to cases of erasure, rectification, and restriction? Companies should always notify all third parties they've shared information with.
The Data Subject's Right #5: Informed Consent
What's one of the most prominent rights outlined in the GDPR? The data subjects' right to remain informed. How does the GDPR enforce this? By demanding that controllers keep data subjects informed in several specific areas. These controllers must furnish clear, accurate information. Why the robust focus on being informed? Because consumers ultimately have the right to make educated decisions. After all, if you don't know how your data gets used, how can you make meaningful decisions about it? For this reason, the controller must inform recipients about who has received data about them.
Information Companies Must Provide
What must this information include? Companies must inform data subjects about:
- The business
- The data processing activities implemented
- The rights available to data subjects regarding the processing
- The length of time a company retains data
- The right to lodge a complaint
Businesses must understand that the list above doesn't represent the be-all, end-all when it comes to the information provided to consumers. For example, if a company obtains personal data from a third party, they must disclose additional information. This information must include disclosures about the categories of personal data obtained, the sources of this data, etc.
When to Disclose This Information
Data collectors must inform individuals about how they gather, store, and use personal data. But when must a company furnish this information to consumers? Companies must provide data subjects with privacy information at the time the data gets collected. Companies must present this information in a transparent, concise, and intelligible way. What's more, it must prove easy to access. Besides conveying disclosures in plain language, the information happens free of charge. Some additional applicable details you may need to provide include disclosure of organizations that represent a company. Other communications may include explaining what the legitimate interests for processing are. The company must also disclose any third parties with which the personal data gets shared.
The Data Subject's Right #6: Data Portability
The right to data portability permits consumers to obtain data held by a controller. Consumers have a right to know how companies store and reuse this data. What's more, the data must be structured and presented in a commonly used, machine-readable format. The right to portability relates to all personal data an individual has given to a data controller. It also applies to situations where data processing gets carried out by automated means. Other conditions affected by data probability include those where a contract, performance, or an individual's consent inform processing. Which types of data fall under this portion of the GDPR?
- Traffic data
- Location data
- Browsing history
- Raw data processed by connected objects (e.g., wearable devices and smart meters)
That said, you'll find some data options not covered by this portion of the GDPR. They include data generated based on information voluntarily provided (e.g., a user profile). The right to portability doesn't apply if a company has legitimate interests or public interests to process personal data. The same goes for data labeled with pseudonyms.
The Data Subject's Right #7: Object
The GDPR also clearly delineates the right of subjects to opt out of data processing of their information. This right relates to the consumer protection of erasure. It also has to do with how a subject would like their data used. When does the right to object apply? It only applies under a specific set of circumstances. Implementation also depends on a company's purposes for processing and the lawful basis for that processing. Data subjects may object to their personal data processing if the intended use remains direct marketing. The GDPR stipulates that data subjects may always object to the use of their information for objectives purely related to direct marketing. What are some grounds for objection? They include:
- The exercise of official authority vested in a company
- A task carried out in the public interest
- A company's legitimate interests (or those of a third party)
Based on the circumstances outlined above, do GDPR consumer rights prove absolute? Not necessarily. If the data gets processed for historical research, scientific studies, or statistical reasons, other legal considerations may constrain the right to object.
The Data Subject's Right #8: No to Automated Processing
The eighth right protects data subjects under GDPR from automated processes such as profiling. In other words, data controllers can't rely solely on automated processes when it comes to how consumer information gets collected, stored, and used. How does this relate to the protection of consumer data? The GDPR targets explicitly:
- Automated individual decision-making processes
- Profiling as a part of automated decision-making processes
To protect individuals, a company may only carry out this type of decision-making when necessary for the performance of a contract or entry into a contract. Companies must also remember that domestic law may apply in some cases. Companies must offer individuals information about processing their data. They should also introduce simple ways for individuals to request human intervention. They must provide a means for challenging automated decision-making processes. And they must monitor that system to ensure intended functionality. How can companies ensure they remain compliant and up-to-date with these and other privacy-related laws? Through IACET accredited courses.
What to Know About the GDPR
The GDPR continues to set a new standard when it comes to the protection of online consumers. This legislation outlines eight consumer rights designed to safeguard EU citizens against the unlawful collection and use of personal data. The GDPR remains just one of several new bodies of legislation that companies must understand and observe. Otherwise, they face risks related to non-compliance. What comes with non-compliance? Hefty fines and operational restrictions. What are some other examples of legislation put forth to protect consumers from unlawful data collection? They include California's Consumer Privacy Act and Brazil's Lei Geral de Proteo de Dados(LGPD). What steps can you take to ensure your employees' compliance regarding regulations such as the GDPR or even HIPAA? It starts with professional development education. Check out these frequently asked questions about getting your employees the training they require.