What are the rights of Data Subjects?
GDPR grants people, in their capacities as consumers, citizens and so forth a range of specific data subject rights they can exercise under particular conditions.
Don't forget
Anyone using goods and services in the EU is a Data Subject.
Right of Data Breach Notification
In case of any data breach that is likely to result in unauthorised use and distribution of data, the Data Controllers will have to notify Data Subjects about the breach within 72 hours of becoming aware of the same.
Similarly, Data Processors will have to inform Data Controllers about the breach within the time frame.
Right to Access
GDPR gives Data Subjects the right to get information about how, where and for what purpose their personal data is being processed.
Right to be Forgotten
Also known as Data Erasure, the right to be forgotten entitles the Data Subject to have his/her personal data deleted from the logs of Data Controllers. The right to be forgotten also enables them to halt or cease further distribution and use of the data by third parties.
Right to Data Portability
GDPR introduces data portability — the right for a Data Subject to receive the personal data concerning them, which they have previously provided in a commonly used and machine-readable format and have the right to transmit that data to another Controller.
This essentially means that if you want to make a switch from one service provider to another, the former service provider should give you the complete data in a machine-readable format which can be used to integrate with the new service provider.
Right to Restrict Processing
Data subjects have the right to restrict the processing of personal data where:
- they have contested its accuracy;
- they have objected to the processing and you are considering whether you have a legitimate ground which overrides this;
- processing is unlawful;
- a business no longer needs the data but the data subject requires it to establish, exercise or defend a legal claim.
If a business has disclosed the personal data to third parties, then the business must inform them about the erasure of the personal data.
Right to Object
Data subjects have the right to object to:
- processing based on legitimate interests, the performance of a task in the public interest or the exercise of official authority (including profiling);
- direct marketing (including profiling); and processing for scientific/historic research or statistics.
Businesses must inform data subjects of their right to object as soon as possible. Where the data subject objects to direct marketing you must do so immediately. There are no exemptions or grounds to refuse. Where a data subject otherwise objects to you processing their personal data then you must comply with this request unless you can demonstrate compelling, legitimate grounds to continue processing or that the processing is for the establishment, exercise or defence of legal claims.
Look at the following statements and identify which right is being exercised.
The right to have your personal data removed from the Data Controllers list and from the list of any third parties to whom the data has been passed.
Which right is being exercised?