GDPR – Data Subject Rights
Last modified: February 8, 2023
This page is regularly updated to reflect continued monitoring, accuracy and comprehensiveness.
GDPR
Within the meaning of GDPR, “Personal data” means any information relating to an identified or identifiable natural person (“data subject”). GDPR grants data subjects a range of specific data subject rights they can exercise, with exceptions. Data subject requests are not new, but GDPR introduced some changes to further protect their rights.
Introduction
Under Article 12(2) of the GDPR, we are obliged to comply with a DSR without undue delay and, in any event, within one month (i.e. a calendar month) of receiving a request from a data subject or their representative after establishing its identity. Any refusal of a DSR must also meet this timescale. Taking account of the complexity and number of requests made by the data subject, the period for responding may be extended by a further period of two months. Data subject must be informed of any extension or refusal, with reasons, within one month of receipt of the request.
Failure to respond to DSRs can leave organizations open to the higher level of administrative fines under the GDPR: €20 million or up to 4% of annual global turnover – whichever is greater.
Fundamental Rights of a Data Subject under GDPR
General points applicable to all DSRs
- Data subjects can make a request verbally or in writing. It can also be made to any part of the organisation (including by social media) and does not have to be to a specific person or contact. It does not have to include the title ‘request for rectification’ or ‘request to Erasure’ etc or mention Article number of the GDPR, as long as it is clear that the data subject is making a request about it’s own personal data.
- We have a legal responsibility to identify the data subject ( if a representative is acting on behalf of the data subject then we have a legal responsibility to verify it’s authorisation as well) who has made a request and also to check the information requested falls in the personal data category to validate the request.
- We must comply with a validated request within a month, if it needs a lot of effort then it can be extended to two more months but about this extension and the reason must be informed to the data subject within a month from validating the request.
- If any exemption applies to a request we can refuse to comply with it . Also, manifestly unfounded or excessive requests can either be refused or charged a “reasonable fee” for the administrative costs.
- In all the cases when we refuse to comply or charge for administrative fee or ask for more information for identification, we have to inform to data subject with in a month
- the reasons we are not taking action or charging the request;
- their right to make a complaint to the ICO or other authorities; and
- their ability to seek to enforce this right through a judicial remedy.
- It is good practice to keep record of all the details of the request and log the process details, this can help avoid later disputes if any, about how we have interpreted and processed the request to be in compliance.
Right to be informed
At the point where personal data is collected from the data subject (Article 13) or obtained from another source (Article 14), there is a requirement to inform the data subject about our use of their personal data and their rights over it to ensure transparency.
Compliance with this right is addressed in a separate document, Privacy policy, which describes our identity, contact information, the processing purposes and the legal basis, any legitimate interests pursued, the recipients when transmitting personal data, and any intention to transfer personal data to third countries or sharing with third parties, how we will process and safeguard their personal data.
Also, inform the data subject about the duration of storage, their rights, the ability to withdraw consent, the right to lodge a complaint with the authorities. In addition, the data subject must be informed of any automated decision-making activities, including profiling.
Right to withdraw consent
The data subject has the right to withdraw consent where the basis for processing of their personal data is that of consent (i.e. the processing is not based on a different justification such as contractual or legal obligation). Before excluding the data subject’s personal data from processing, it must be confirmed that consent is indeed the basis of the processing. If not, then the request may be rejected.
In many cases, the giving and withdrawal of consent will be available electronically i.e. online and doesn’t need separate procedure.
Note – Where consent involves a child (age 18 or under) the giving or withdrawal must be authorised by the holder of parental responsibility over the child.
Right of access
A data subject has the right to obtain confirmation from us if we are processing their personal data (Article 15); obtain a copy of their personal data as well as other supplementary information, to understand how and why we are using their data, and check if we are doing it lawfully.
Right to rectification
Personal data is considered inaccurate if it is incorrect or misleading as to any matter of fact. A data subject has the right to have inaccurate personal data rectified and also be able to have incomplete personal data completed depending on the purpose for the processing (Article 16).
We should take reasonable steps to make sure that the data is accurate and to rectify the data if necessary, taking into account the arguments and evidence provided by the data subject especially if it is used to make significant decisions that will affect a data subject or others. Where possible, and where it would not involve disproportionate effort, any third party with whom rectified data have been shared should be informed of the rectification.
Note: Where the data are being processed for a law enforcement purpose or any other exemptions apply and we need to retain the data in their present form as evidence, we may have to restrict the processing of inaccurate personal data rather than rectifying it.
Right to erasure
Also known as “the right to be forgotten”, (Article 17) the data subject has the right to require us to erase personal data about them without undue delay where one of the following applies:
- The personal data are no longer necessary for the purpose for which they were collected
- The data subject withdraws consent and there is no other legal ground for processing
- The data subject objects to the processing of the personal data
- The personal data have been unlawfully processed
- For compliance reasons, i.e. where it needs to be removed to meet the legal obligations by us
- Where the personal data was relevant to the data subject as a child
Reasonable efforts must be made to ensure erasure where the personal data has been made public.
Note: Where the data are being processed for a law enforcement purpose and we need to retain the data in their present form as evidence, we may have to restrict processing rather than agreeing to a request for erasure.
Right to restriction of processing
The data subject has right to a restriction of processing of their personal data in one of the following circumstances (Article 18) :
- Where the data subject contests the accuracy of the data, until we have been able to verify its accuracy
- As an alternative to erasure in the circumstances that the processing is unlawful
- Where the data subject needs the data for legal claims but it is no longer required by us
- Whilst a decision on an objection to processing is pending
Where a restriction of processing is in place, the data may be stored but not processed without the data subject’s consent, unless for legal reasons (in which case the data subject must be informed). Third parties who may process the data on our behalf must also be informed of the restriction.
Notification Obligation
If we have shared and/or disclosed personal data with the third parties, we are required to communicate (Article 19) any rectification or erasure of personal data or restriction of processing carried out in accordance with Article 16, Article 17 and Article 18 to each recipient, unless this proves impossible or involves disproportionate effort.
Also, we need to inform the data subject about these third parties with whom we have shared their personal data, if the data subject requests it.
Right to data portability
The data subject has the right to request that their personal data be provided to them in a “structured, commonly-used and machine-readable format” (Article 20) and/or to transfer their personal data to another party e.g. service provider where technically feasible without any hindrance.
This applies to personal data provided by the data subject in a machine readable format for which processing is based on the data subject’s consent or on a contract and the processing carried out by automated means.
Right to object
A Data subject (Article 21) has the absolute right to object to the processing of their personal data if it is for direct marketing purposes. The right to object is limited If their data is processed for scientific or historical research, or statistical purposes. The right to object is not absolute if the processing is for:
- a task carried out in the public interest;
- the exercise of official authority vested or
- legitimate interests (or those of a third party).
Where the data are being processed for a law enforcement purpose, there is no right to object.
Right to automated decision making and profiling
The data subject has the right to not be the subject of automated decision-making including profiling where the decision has a significant effect on them, and they can insist on human intervention where appropriate (Article 22). The data subject also has the right to express their point of view and contest automated decisions.
There are exceptions to this right, which are if the decision:
- Is necessary for a contract
- Is authorized by law
- Is based on the data subject’s explicit consent
In assessing these types of request, a judgement needs to be made about whether the above exceptions apply in the particular case in question.
Other communication (Personal data breach notice etc)
We have a duty to report certain types of personal data breach to the relevant supervisory authority. We must do this within 72 hours of becoming aware of the breach, where feasible.
If the breach is likely to result in a high risk of adversely affecting data subjectss’ rights and freedoms, we must also inform those data subjects without undue delay.