Rights of the Data Subject
The rights of the data subject are enhanced under GDPR. They are detailed below, together with some common myths and myth busters. The first two rights must be automatically exercised by the data controller. The remaining rights are optional rights which the data subject can choose to exercise.
- Provision of Transparent Information (Art 12)
Data controllers must provide information to the data subject in a “concise, transparent, intelligible and easily accessible form, using clear and plain language”. Information should be provided in writing including electronically, if appropriate.
This requirement is particularly important where information is addressed to a child. GDPR states that children “merit special protection” and so any information and communication with a child should be in clear and plain language that the child can easily understand.
- Provision of Specific Information when the Personal Data are Collected or Obtained (Arts 13 and 14)
- the identity and contact detail of the data controller;
- contact details of the data protection officer (if there is one);
- purposes for processing and the legal basis for the processing;
- if the processing is on the grounds of legitimate interest, what those legitimate interests are;
- the recipients or categories of recipients of the personal data;
- any intention to transfer personal data to a third country or international organisation and the existence of a finding of adequacy or other suitable safeguards;
- the period of retention of the data or the criteria used to determine the period;
- the existence of the data subject’s rights (detailed below);
- the existence of the right to withdraw consent (if applicable);
- the right to complain to the ICO;
- any relevant statutory or contractual requirement to process; and
- the existence of automated decision-making (detailed below).
- Access to Data (Art 15)
Each data subject is entitled to require an organisation to provide access to or copies of all of the individual’s personal data by placing a subject access request.
In addition to requesting access to the personal data, the data subject is entitled to the following information:
- the purposes for which their personal data is processed;
- the categories of personal data;
- the recipients or categories of recipients to whom the personal data has been disclosed;
- the period for which the personal data will be stored or, if it’s not possible to provide the information, the criteria used to determine that period;
- the existence of the right to request rectification or erasure of personal data;
- the right to lodge a complaint with the ICO;
- information about the source of the personal data if it wasn’t collected from the data subject; and
- if relevant, the existence of automated decision-making including profiling together with information about the logic applied, the significance and the envisaged consequences of such processing for the data subject.
Each organisation should adopt processes for dealing with subject access requests and decide whether it would be beneficial to issue firm wide policies. Development of policies and provision of training may provide comfort that all members of staff understand how to recognise and deal with a subject access request (ideally by directing the request to the organisation’s data protection or privacy officer).
If an organisation receives a subject access request as a data processor, it should pass the request to the data controller and act in accordance with the data controller’s instructions when assisting the data controller to respond to the request.
Responding to the Request
Under GDPR, an organisation must respond within one calendar month of receiving the request and must do so free of charge (unless the requests are vexatious or repeated, in which case it may be possible for a business to charge a reasonable fee to respond).
The month is calculated from the first day after the day on which the request is received. If there is no corresponding date in the following month (e.g. the request is received on 31 May but there is no 31 June), a response must be sent by the last day of the following month (for example, 30 June). If the corresponding date falls on a weekend or a public holiday, the response must be sent by the next working day. Some organisations have decided it is simplest to adopt a 28 day default response period so they have a consistent approach to responding to subject access requests throughout the year.
*Myth* - an organisation can delay responding to a subject access request if they’re not confident about the identity of the individual or if they would like more information about what the data subject requires.
*Fact* - an organisation should be confident about the identity of the person making the request but should not use it as a stalling tactic. Confirmation should only be sought if there are real doubts about the identity of the data subject. Whilst an organisation is entitled to ask for more information from the data subject, doing so will not delay the timescales in which the organisation must respond and the data subject is under no obligation to limit its request.
- Right to Rectification (Art 16)
This right links to the obligation on the data controller to keep personal data up to date and accurate. A data subject has the right to request that inaccurate personal data is rectified or completed “without undue delay” .
- Right to be Forgotten (Art 17)
Data subjects are entitled to request that the personal data held about them by an organisation is deleted. If an organisation is a data processor, any action that they are required to take should be notified to them by the data controller. The organisation must comply with the request to be forgotten without undue delay where one of the following grounds applies:
- the personal data is no longer necessary in relation to the purposes for which it was collected or processed;
- the data subject withdraws their consent and there is no other legal ground for processing;
- the data subject objects to the processing and there are no overriding legitimate interests;
- the personal data has been unlawfully processed;
- there is a legal requirement that the personal data is erased;
- personal data has been collected in relation to the offer of information society services. Information society services are online services and this exemption is therefore unlikely to apply to organisations in the health and care sector.
The right to be forgotten is a more limited right than many organisations realise. The most useful right from a data subject’s perspective is arguably that personal data must be deleted if a data subject withdraws their consent to processing and subsequently requests that all personal data be deleted.
*Myth* - data subjects have a blanket right to request that their information be deleted.
*Fact* - the right to request to be forgotten is relatively limited and organisations may be able to rely on a justification to retain the data.
- Right to Restriction of Processing (Art 18)
The data subject can request that an organisation limits the processing of certain personal data if:
- the data subject believes the data isn’t accurate, in which case processing should stop until the data controller is able to verify the accuracy of the data;
- the processing is unlawful and the data subject requests restriction rather than deletion of data;
- the data controller no longer needs the personal data for the purposes of the processing but the data subject requires the data to be retained for the establishment, exercise or defence of legal claims;
- the data subject has objected to their personal data being processed in which case processing should stop until the data controller is able to check whether its legitimate interests override the objection.
If personal data is restricted, it can only continue to be processed in the following circumstances:
- with consent from the data subject;
- for the establishment, exercise or defence of legal claims;
- the protection of the rights of another; or
- for reasons of important public interest.
- Data Portability (Art 20)
The data subject can request that their data is provided in a structured, commonly used and machine-readable format and/or that the data is transferred directly to another data controller.
*Myth* - a data subject can exercise the right to data portability in all circumstances.
*Fact* - the right only applies where the personal data is processed on the grounds of consent or performance of a contract. It does not apply where the personal data is processed on the basis of any other grounds, including legitimate interest.
- Right to Object (Art 21)
The data subject can object to the processing of personal data where the personal data is processed for the performance of a task carried out in the public interest or where processing is necessary for the legitimate interests of the data controller or a third party.The data controller can, however, continue to process the data if it can demonstrate it has compelling legitimate grounds to process and those grounds override the interests, rights and freedoms of the data subject, or for the establishment, exercise and defence of legal claims.
- Right to Object to Automated Decision-Making (Art 22)
In basic terms, “Automated Decision-Making” means using a person’s personal information to understand what that person is like and how they behave and to make an automated (i.e. online / computerised) decision as a result of collecting that information. If there is human intervention in the decision, it is not an “automated” decision.
For example, if an organisation uses a clocking in / out process and automatically deducts a percentage of salary if an employee is a specified number of minutes late to work, this would constitute an automated decision making process. If, however, the clocking in / out process takes place but the deduction of salary is decided by the employee’s line manager, it would not constitute an automated decision.
The data subject is not entitled to object if the automated decision is necessary for entering into or performance of a contract (for example, a bank carrying out a credit reference check in order to approve a credit card application); or if the decision is authorised by law and there are suitable measures to safeguard the data subject’s rights and freedoms.
What Could Go Wrong?
Failure to properly respond to a request made by a data subject to exercise their rights under GDPR; to provide what they’ve requested; or to implement a suitable process to deal with data subject requests could attract a fine of up to 20 million Euros or 4% of group worldwide turnover.
*All information is correct at the time of publishing