Individual’s rights under GDPR

Understand the rights of your customers

Recognition of individual’s control over his/her personal data is the fundamental achievement of the GDPR. To materialize this fundamental principle the GDPR define set of well defined rights and introduce well defined process for individuals to execute these rights, to be in compliance with the GDPR data processing organizations should accept these set of rights and should facilitate each individual to execute these rights.

  1. The right of transparency and modalities.

The right of transparency and modalities

The data processing organizations must provide the information related to following activities in a concise, transparent, intelligible and easily accessible form, using clear and plain language, it is also possible to use appropriate visualizations such as standardized icons. Additionally it’s expecting special care on information specially addressed to a child.

  1. When personal data are collected from the data subject.

Data processing organizations must facilitate to execute ‘right for access information’ and ‘right for not to be subject to a decision based solely on automated processing’ by their consumers. The only exception here is, cases where the organization can’t identify the requested individual uniquely.

When an individual made a request to access information, the processing organizations must respond to the individual without any delays according to the following time constraints.

  1. Generally within the one month of receipt of the request.

Additionally organizations should provide above informations free of charge but it’s possible to include administrative fee, also organizations should properly identify the individual before provide any information, if required organizations can request additional data for user identification/verification purposes.

The right to be informed

According to this principle individuals must be informed before data is gathered. If personal data is collected directly from an individual, the processing organization must provide the following information to the individual at the time of collection of those data.

  1. Organization’s identity and contact details including representatives within EU.

In cases personal data are NOT collected directly from individuals, processing organizations should provide following details to individuals.

  1. Organization’s identity and contact details including representatives within EU.

If a processing organization intends to further process personal data for a purpose other than the original purpose, then it must provide information on new purposes to each individual prior to the further processing. Also it should be noted that above information sharing or communications with an individual should not contradict with EU laws and member state laws.

The right of access

According to this right each individual has the right to request access to his/her own personal data and to ask how their data is used by the processing organization once it has been gathered. Usually this can be done by submitting a subject access request (SAR) . When requested the processing organization is obligated to provide a copy of the data.

According to the GDPR processing organizations should provide following information to individuals when requested.

  1. Confirmation on whether or not personal data concerning him/her are being processed.

In addition to above when personal data are transferred to a third country or to an international organization, an individual has the right to be informed. However this right should not adversely affect the rights or freedoms of others, including trade secrets or intellectual property or copyrights.

The right to rectification

Individuals should have the right to require the processing organization to correct errors in personal data processed without any delays.

The right to be forgotten

Individuals should have the right to request the processing organizations to erase of personal data without any delays and the processing organizations should obligate to such requests in any of the following situations.

  1. Personal data captured no longer required for the captured purpose.

As an example if an individual is no longer a customer of your business, or if the particular individual has withdrawn his/her consent from your company to use the personal data, then the individual has the right request for data deletion.

Additionally when an processing organization make personal data public , an individual can request to erase any links to, or copy or replication of those personal data.

Also note that this regulation does not apply for exercising the right of freedom of expression and information or reasons of public interest in the area of public health or reasons which are in compliance with a legal obligations.

The right to restrict processing

It’s possible for an individual to request from a processing organization to restrict his/her personal data processing. In such cases the processing organization may continue to store the data, but the purposes for which the data can be processed are strictly limited. To support such features processing organizations should have capabilities to segregate affected data from the processing system. According to the GDPR an individual can make restriction requests in following situations.

  1. An individual opposes to erase the data instead request to restrict the use.

The right for notification obligation regarding rectification/erasure/restriction

In following cases processing organization should communicate to the individual in a concise manner.

  1. Personal data rectification.

Additionally when requested by an individual, the processing organization should reveal information about the recipients of individula’s personal data.

The right to data portability

When the data processing is based on consent or contract, individuals have the right to receive own personal data from a processing organization which he/she has provided. However the right to portability does not apply where the processing is based on any other legal ground than consent or contract such as public interests.

When responding to such requests, an individual has right to receive those information in a structured, commonly used and machine-readable format. This facilitate to transmit received information to another organization easily.

When technical feasibility exists, an individual can request to transfer his/her personal data from one processing organization to another directly. In practise in order to support this feature both of the organizations should have mutual contract and technical capabilities to transfer the data. For example System for Cross-domain Identity Management (SCIM) can be used to transfer identity related personal data from one organization to another.

The right to object

An individual can object to processing of own personal data at any time, in such cases the processing organization should stop the processing of affected data unless they can demonstrate legitimate ground to carry out processing of affected data. This regulation is applicable for scientific, historical research or statistical purposes as well.

According to GDPR direct marketing is a special case where an individual can object to processing of own personal data at any time and upon receiving a such objection the processing organization should not process concerned personal data for the purpose of direct marketing.

GDPR also expect from processing organization to present above “right to object” and “right to object for direct marketing” in a clearly and separately from any other information at least during 1st communication with an individual. For example you cannot hide above information of objects to rights with the applicable general terms and conditions policy.

Rights in relation to automated decision making and profiling

An individual has the right not to be subject to decisions based solely on automated processing which significantly affect them. Online credit application, e-recruiting or e-evaluation of performance without any human intervention are some of the examples for solely automated processing.

Also even the cases where an individual consent for automated decision-making, he/she has rights to obtain human intervention, to express his or her point of view, to obtain an explanation of the decision reached after such assessment and to challenge the decision etc.

By the way execution of above rights should not be contradictory with public safeguard matters such as national & public security, defence, rights and freedoms of others, judicial proceedings

Integration and Identity Architect & PMC Member @ The Apache Software Foundation, was a Director @ WSO2