There are 8 privacy rights an individual has in GDPR protected countries. Below we will unpack these rights and break down their practical application. What these rights boil down to is the right of the individual to have meaningful say how data about them is used as described by The Principles Of The GDPR. These rights give individuals the ability to set limits on how their data is used or ultimately the 8 rights of the GDPR provide more clear avenues for recourse when rights are violated.
These are the 8 rights for individuals under the GDPR. (A 9th is named but not listed as a right)
1. The Right To Be Informed
This is a little more complicated than it sounds. We will attempt to hit the highlights but this is by no means exhaustive. The right to be informed (as it’s known) is pretty broad. It should be noted that much of this is part of a well-crafted privacy notice.
Data controller contact details
Individuals have a right to a contact name or group within a company where they can inquire regarding usage of data privacy rights. This person is the highest level of accountability for ensuring rights are respected, often the DPO. Also mentioned should be the company’s EU representative.
Purposes of processing and legal basis
Simply put, a company must state why they are processing data and what their legal grounds are for doing so. This is part of a well-crafted privacy notice.
Legitimate interests being pursued by the controller
When an individual’s data is being used by a controller but not to (directly) provide goods or services, the controller has to define what their legitimate reason is for processing the data. A good way to think of this is, would someone reasonably expect their data to be used this way (e.g. reporting, fraud detection, etc.).
Who your data is shared with
If an individual’s data is shared by a controller, they have a right to know the recipients of their data or the categories of recipients. Examples of this would be companies sharing their customer’s data with data brokers, advertisers or social media companies.
Data retention period
It is now common practice to state in a public privacy notice the length of time data will be retained by a company. Sometimes it is a specific number of years and sometimes it is a little more nuanced. When it is not possible to say a definite period of time, the criteria used to decide how long data will be kept is required (e.g. 3 years after our last engagement with a client). This often has something to do with another need like civil liability or tax reasons.
The rights of the individual under the GDPR
A data controller is responsible to make individuals aware of their rights under the GDPR. As mentioned, this is often part of a well-crafted privacy notice.
2. The Right Of Access
Individuals have the right to request a copy of data being held (about them) by a data controller, if that data is being processed (and for what purpose) as well as to whom it may be shared with.
The data is to be provided (possibly at a reasonable cost) in a commonly used electronic format (unless otherwise requested).
Note: A matter of debate is the scope of data to be provided. All data, may or may not include data arrived at via analysis vs. data provided, purchased or otherwise obtained.
3. The Right Of Rectification
An individual has the right to have incorrect information fixed or incomplete information completed in a timely manner.
4. The Right Of Erasure (AKA: The right to be forgotten)
This is probably the most commonly known right under the GDPR. It says that an individual has the right to have their personal information deleted when it is not longer required for the reason it was given. An obvious caveat to this is if the controller has a legitimate reason to use it.
Limitations to GDPR erasure requests
Erasure requests have some notable exceptions. Here are the high-level items mentioned in the GDPR.
- Exercise of the freedom of expression like media
- Compliance with legal obligations such as being a public authority or some reason in the public interest
- For archiving or public interest, scientific, historical research or statical use (with certain limits for protecting individual rights and freedoms)
- For establishing, exercise or defense of legal claims
The GDPR is different than other regulations because it focusses on the right of the individual
5. The Right To Restrict Processing
An individual can request processing of their data be restricted if:
- The data is inaccurate
- The processing is unlawful (but not requesting deletion)
- When the controller no longer needs the data but the individual needs the controller to provide it for legal reasons
- Once the individual has objected to processing (pending a decision on the controller’s grounds vs. the individual’s)
Note: When an individual has successfully obtained restriction, the controller is obligated to notify when the restriction has been lifted.
6. The Right Of Data Portability
This gives individuals the right to request data in a structured, commonly used format that is machine readable. (such as csv, json, etc.). The essence of this right is to prevent an individual from having difficulty moving to another company or service because that company holds valuable data about that person. As example, if someone were to use an accounting software and wanted to change providers. It would be made more difficult to change software providers if they did not have the right to take their data and had to start over.
7. The Right To Object
With some carveouts for scientific/historical reasons, an individual can object to the processing of their data and can request that processing be stopped or limited. This objection is then weighed against the legitimate interests of the controller and the controller determines if they should stop using the individual’s data. Should the individual not agree with the controller’s decision, they have the right to lodge a complaint with the supervisory authority who will investigate.
8. The Right To Object To Automated Decision Making
An individual has a right to object to (solely) automated decision making which results in legal effects or significantly affects them (e.g. being denied a loan). In simple terms, if a data controller is using technology to make decisions and it impacts the daily life of an individual, that person has a right to object to that decision being made solely by technical means.
Limitations to the right to object
- Necessity required for contractual purposes
- Is authorized by Union or Member State law (which the controller is subject to) and appropriate safeguards are in place to ensure the data subject’s rights are respected
- The data subject has given explicit consent.
(9.) The Right To Withdraw Consent
While not listed in the ‘rights’ section of the GDPR (Chapter 3), the right to withdraw consent is a right of the GDPR with some key callouts. First, consent being withdrawn does not invalidate or make unlawful processing of data before consent was withdrawn. Another example is a person can’t withdraw consent in bad faith by entering into a contract and then withdrawing consent for relevant data processing.
Conclusion:
The 8 rights of the GDPR are daunting to honor for companies when you consider technical and organizations measures. Most systems weren’t designed with these (always changing) regulations in mind. When doing so, it is important to not only protect the rights of your customer but also protect your company’s ability to function in a data driven world. This balance is the essence of privacy by design.