Individual’s rights under GDPR

Understand the rights of your customers

Recognition of individual’s control over his/her personal data is the fundamental achievement of the GDPR. To materialize this fundamental principle the GDPR define set of well defined rights and introduce well defined process for individuals to execute these rights, to be in compliance with the GDPR data processing organizations should accept these set of rights and should facilitate each individual to execute these rights.

1. The right of transparency and modalities.
2. The right to be informed.
3. The right of access.
4. The right to rectification.
5. The right to be forgotten.
6. The right to restrict processing.
7. The right for notification obligation.
8. The right to data portability.
9. The right to object.
10. The Right in relation to automated decision making and profiling.

The right of transparency and modalities

The data processing organizations must provide the information related to following activities in a concise, transparent, intelligible and easily accessible form, using clear and plain language, it is also possible to use appropriate visualizations such as standardized icons. Additionally it’s expecting special care on information specially addressed to a child.

1. When personal data are collected from the data subject.
2. When personal data are not collected directly from the data subject.
3. When communicating with an individual related to right of access.
4. When communicating with an individual related automated individual decision-making.
5. When communicating with an individual about personal data breach.

Data processing organizations must facilitate to execute ‘right for access information’ and ‘right for not to be subject to a decision based solely on automated processing’ by their consumers. The only exception here is, cases where the organization can’t identify the requested individual uniquely.

When an individual made a request to access information, the processing organizations must respond to the individual without any delays according to the following time constraints.

1. Generally within the one month of receipt of the request.
2. Considering the complexity and number of the requests, an organization can extend above one month period by two further months but the organization must inform any such extension to the individual within one month period together with the reasons for the delay.
3. In case an organization does not take action on the request, it should inform the individual within one month period with the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority.

Additionally organizations should provide above informations free of charge but it’s possible to include administrative fee, also organizations should properly identify the individual before provide any information, if required organizations can request additional data for user identification/verification purposes.

The right to be informed

According to this principle individuals must be informed before data is gathered. If personal data is collected directly from an individual, the processing organization must provide the following information to the individual at the time of collection of those data.

1. Organization’s identity and contact details including representatives within EU.
2. Contact details of the data protection officer ( if applicable).
3. Purposes of and legal basis for the processing of personal data.
4. Recipients or categories of recipients.
5. Details of data transfer outside the EU, including how the data will be protected and how an individual can obtain a copy of the implemented safeguards.
6. Retention period for the personal data, or if that is not possible the criteria used to determine the retention period (e.g. 1 year after the end of the contractual relationship);
7. That the data subject has a right to access and rectify its personal data, to object to or request erasure or restriction of the processing, and to data portability.
8. Where the processing is based on consent, that the data subject has a right to withdraw its consent for the processing at any time.
9. That the data subject can lodge a complaint with a supervisory authority;
10. whether there is a statutory or contractual requirement to provide the data or if the provision of data is necessary to enter into a contract.
11. Whether there will be any automated decision taking.

In cases personal data are NOT collected directly from individuals, processing organizations should provide following details to individuals.

1. Organization’s identity and contact details including representatives within EU.
2. Contact details of the data protection officer ( if applicable).
3. Purposes of and legal basis for the processing of personal data.
4. Recipients or categories of recipients.
5. Details of data transfer outside the EU, including how the data will be protected and how an individual can obtain a copy of the implemented safeguards.
6. Retention period for the personal data, or if that is not possible the criteria used to determine the retention period (e.g. 1 year after the end of the contractual relationship);
7. That the data subject has a right to access and rectify its personal data, to object to or request erasure or restriction of the processing, and to data portability.
8. Where the processing is based on consent, that the data subject has a right to withdraw its consent for the processing at any time.
9. That the data subject can lodge a complaint with a supervisory authority;
10. whether there is a statutory or contractual requirement to provide the data or if the provision of data is necessary to enter into a contract.
11. Whether there will be any automated decision taking.
12. The categories of personal data concerned
13. From which source the personal data originates, and if applicable whether it came from publicly accessible sources.

If a processing organization intends to further process personal data for a purpose other than the original purpose, then it must provide information on new purposes to each individual prior to the further processing. Also it should be noted that above information sharing or communications with an individual should not contradict with EU laws and member state laws.

The right of access

According to this right each individual has the right to request access to his/her own personal data and to ask how their data is used by the processing organization once it has been gathered. Usually this can be done by submitting a subject access request (SAR) . When requested the processing organization is obligated to provide a copy of the data.

According to the GDPR processing organizations should provide following information to individuals when requested.

1. Confirmation on whether or not personal data concerning him/her are being processed.
2. If processed where that.
3. Access to proceed personal data.
4. Purposes of the processing.
5. The categories of personal data concerned;
6. The recipients or categories of recipient to whom the personal data have been or will be disclosed.
7. If possible, the envisaged period for which the personal data will be stored.
8. The existence of the right to request for rectification or erasure of personal data or restriction of processing of personal data.
9. Where the personal data are not collected from the data subject, any available information as to their source;
10. The existence of automated decision-making.

In addition to above when personal data are transferred to a third country or to an international organization, an individual has the right to be informed. However this right should not adversely affect the rights or freedoms of others, including trade secrets or intellectual property or copyrights.

The right to rectification

Individuals should have the right to require the processing organization to correct errors in personal data processed without any delays.

The right to be forgotten

Individuals should have the right to request the processing organizations to erase of personal data without any delays and the processing organizations should obligate to such requests in any of the following situations.

1. Personal data captured no longer required for the captured purpose.
2. When the individual withdraws consent on the processing of data and there is no other legal context to process the data.
3. When the individual objects to the processing pursuant.
4. When personal data have been unlawfully processed.
5. When personal data have to be erased to be in compliance with a legal obligations.
6. Personal data have been collected in relation to the offer of information society services related to a child.

As an example if an individual is no longer a customer of your business, or if the particular individual has withdrawn his/her consent from your company to use the personal data, then the individual has the right request for data deletion.

Additionally when an processing organization make personal data public , an individual can request to erase any links to, or copy or replication of those personal data.

Also note that this regulation does not apply for exercising the right of freedom of expression and information or reasons of public interest in the area of public health or reasons which are in compliance with a legal obligations.

The right to restrict processing

It’s possible for an individual to request from a processing organization to restrict his/her personal data processing. In such cases the processing organization may continue to store the data, but the purposes for which the data can be processed are strictly limited. To support such features processing organizations should have capabilities to segregate affected data from the processing system. According to the GDPR an individual can make restriction requests in following situations.

1. An individual opposes to erase the data instead request to restrict the use.
2. When the personal data are inaccurate, for the period during which the processing organization is verifying the data.
3. Cases where the personal data are no longer required for the processing of the original purpose but the processing organization is not in position to erase those data due to legal background.
4. According to GDPR an individual can object for processing his/her personal data, in such cases processing organization can verify whether there is legal ground exists to override the such requests. In a situations where the results of such verification process is pending, effected personal data should be restricted for processing.
5. Additionally before lifting any processing restrictions, the processing organization must inform the individual in a concise manner.

The right for notification obligation regarding rectification/erasure/restriction

In following cases processing organization should communicate to the individual in a concise manner.

1. Personal data rectification.
2. Personal data erasure.
3. Personal data restriction.

Additionally when requested by an individual, the processing organization should reveal information about the recipients of individula’s personal data.

The right to data portability

When the data processing is based on consent or contract, individuals have the right to receive own personal data from a processing organization which he/she has provided. However the right to portability does not apply where the processing is based on any other legal ground than consent or contract such as public interests.

When responding to such requests, an individual has right to receive those information in a structured, commonly used and machine-readable format. This facilitate to transmit received information to another organization easily.

When technical feasibility exists, an individual can request to transfer his/her personal data from one processing organization to another directly. In practise in order to support this feature both of the organizations should have mutual contract and technical capabilities to transfer the data. For example System for Cross-domain Identity Management (SCIM) can be used to transfer identity related personal data from one organization to another.

The right to object

An individual can object to processing of own personal data at any time, in such cases the processing organization should stop the processing of affected data unless they can demonstrate legitimate ground to carry out processing of affected data. This regulation is applicable for scientific, historical research or statistical purposes as well.

According to GDPR direct marketing is a special case where an individual can object to processing of own personal data at any time and upon receiving a such objection the processing organization should not process concerned personal data for the purpose of direct marketing.

GDPR also expect from processing organization to present above “right to object” and “right to object for direct marketing” in a clearly and separately from any other information at least during 1st communication with an individual. For example you cannot hide above information of objects to rights with the applicable general terms and conditions policy.

Rights in relation to automated decision making and profiling

An individual has the right not to be subject to decisions based solely on automated processing which significantly affect them. Online credit application, e-recruiting or e-evaluation of performance without any human intervention are some of the examples for solely automated processing.

Also even the cases where an individual consent for automated decision-making, he/she has rights to obtain human intervention, to express his or her point of view, to obtain an explanation of the decision reached after such assessment and to challenge the decision etc.

By the way execution of above rights should not be contradictory with public safeguard matters such as national & public security, defence, rights and freedoms of others, judicial proceedings