The GDPR expands the rights of data subjects. You should be aware of these rights so that you can exercise your rights and react in accordance with the law in the event of data protection queries to your company. As you can see form the graphic, the GDPR provides the following rights for individuals:
But what do these rights actually mean in practice? Let us have a closer look:
Let’s start with the right to be informed. If your personal data are processed, at the time of collection of your data the data controller is obliged to provide you with certain information, including in particular:
who is processing your data (name and contact details)
what data they are processing,
why they are porcessing it and
for how long the data will be kept
Furthermore, the GDPR requires that the information is provided to you
in a precise, transparent and easily accessible form
in clear and simple language and
free of charge
In order to fulfil the right to information, data controllers must actively provide individuals with certain information. In contrast, the right of access entitles any data subject to obtain a copy of their personal data and other complementary information regarding data processing.
The following graphic shows the correct response when a data subject wishes to exercise his/her right of access:
As you can see form the graphic, the request for information can be made in person, in written or by telephone. It is important to clarify the identity of the person making the request beyond all doubt.
The next step is the examination of responsibility.
Important
Data subject rights can only be asserted with data controller! However, as the data processor has a support obligation , the data protection request should be forwared directly to the data controller.
Without express instructions, you as an employee are not authorized to provide information about personal data!
As you may have already noticed from the graphic, the data controller must respond to the request to exercise the right of access if no personal data is processed (negative information). However, if personal data are actually processed, individuals have the right to access that data, be provided with a copy of the personal data being processed and get any relevant additional information.
Important
In case of a data protection request the time limit for providing information is in principle only one month after receipt of the request.
Note
The regulations that have been learned so far with regard to
form of data protection request (written, electronic, personal, telephone)
obligation to verify the identity of the data subject in case of doubt
responsibility of the data protection request (only the data controller)
deadline for the data protection response (1 month)
apply equally to ALL rights of the data subjects!
The right to rectification gives individuals the right to ask for incorrect, inaccurtate or incomplete personal data to be corrected.
Individuales can request the deletion of personal data if, for example, the data processed by the company is no longer needed or if the data has been used unlawfully. This right also applies online and is often referred to as the ‘right to be forgotten’. This right obliges data controller to take all reasonable steps to remove publicly disclosed personal data.
The right to restrictprocessing is a right which can only be exercised under certain conditions. Examples include an objection by a data subject to data processing wherby the decision on the objection is still pending or a dispute as to the accuracy of the data.
The right to data portability is intended to ensure that individuals can request the transmission of the personal data they have made available to a data controller in a structured, common and machine-readable format. The right only applies when the data are processed on the basis of consent or a contract. You can also ask for personal information to be transferred directly to another data controller, when it’s technically feasible.
Example
Suppose you want to change your email provider. The right to data transferability allows you to request your current email provider to send your list of contacts to a new email provider.
In principle, data subjects have the right to object to the processing of personal data. Wheter the right applies depends on the purpose and the lawful basis for processing. For example you always have the right to object to processing for the purpose of direct marketing. However, if data are processed, for instance, for scientific or historical research or statistical purposes, the right to object is more limited.
The GDPR provides individuals with the right not to be subject to a decision based solely on automated processing, including profiling.
Important
Only natural persons are entitled to excerise data protection rights! The exercise of data subjects’ rights must be free of charge. Non-compliance with these rights could lead to high financial penalties.
The GDPR expands the rights of data subjects. You should be aware of these rights so that you can exercise your rights and react in accordance with the law in the event of data protection queries to your company. As you can see form the graphic, the GDPR provides the following rights for individuals:
But what do these rights actually mean in practice? Let us have a closer look:
Let’s start with the right to be informed. If your personal data are processed, at the time of collection of your data the data controller is obliged to provide you with certain information, including in particular:
Furthermore, the GDPR requires that the information is provided to you
In order to fulfil the right to information, data controllers must actively provide individuals with certain information. In contrast, the right of access entitles any data subject to obtain a copy of their personal data and other complementary information regarding data processing.
The following graphic shows the correct response when a data subject wishes to exercise his/her right of access:
As you can see form the graphic, the request for information can be made in person, in written or by telephone. It is important to clarify the identity of the person making the request beyond all doubt.
The next step is the examination of responsibility.
Important
Data subject rights can only be asserted with data controller! However, as the data processor has a support obligation , the data protection request should be forwared directly to the data controller.
Without express instructions, you as an employee are not authorized to provide information about personal data!
As you may have already noticed from the graphic, the data controller must respond to the request to exercise the right of access if no personal data is processed (negative information). However, if personal data are actually processed, individuals have the right to access that data, be provided with a copy of the personal data being processed and get any relevant additional information.
Important
In case of a data protection request the time limit for providing information is in principle only one month after receipt of the request.
Note
The regulations that have been learned so far with regard to
apply equally to ALL rights of the data subjects!
The right to rectification gives individuals the right to ask for incorrect, inaccurtate or incomplete personal data to be corrected.
Individuales can request the deletion of personal data if, for example, the data processed by the company is no longer needed or if the data has been used unlawfully. This right also applies online and is often referred to as the ‘right to be forgotten’. This right obliges data controller to take all reasonable steps to remove publicly disclosed personal data.
The right to restrict processing is a right which can only be exercised under certain conditions. Examples include an objection by a data subject to data processing wherby the decision on the objection is still pending or a dispute as to the accuracy of the data.
The right to data portability is intended to ensure that individuals can request the transmission of the personal data they have made available to a data controller in a structured, common and machine-readable format. The right only applies when the data are processed on the basis of consent or a contract. You can also ask for personal information to be transferred directly to another data controller, when it’s technically feasible.
Example
Suppose you want to change your email provider. The right to data transferability allows you to request your current email provider to send your list of contacts to a new email provider.
In principle, data subjects have the right to object to the processing of personal data. Wheter the right applies depends on the purpose and the lawful basis for processing. For example you always have the right to object to processing for the purpose of direct marketing. However, if data are processed, for instance, for scientific or historical research or statistical purposes, the right to object is more limited.
The GDPR provides individuals with the right not to be subject to a decision based solely on automated processing, including profiling.
Important
Only natural persons are entitled to excerise data protection rights! The exercise of data subjects’ rights must be free of charge. Non-compliance with these rights could lead to high financial penalties.
-
Add a note