Last updated on 20 May 2022 by Robert Bateman (Privacy and Data Protection Research Writer at TermsFeed)
The EU Commission describes the General Data Protection Regulation (GDPR) as:
"an essential step to strengthening citizens' fundamental rights in the digital age [which] provides tools for gaining control of one's personal data."
The GDPR achieves this by setting out eight rights that all EU citizens have when it comes to the processing of their personal data. These 8 rights can be found in Chapter 3 of the GDPR.
If your company is a data controller, it's responsible for facilitating the exercise of these rights on EU citizens' behalf. According to the definitions set out in Article 4 of the GDPR, a data controller is any organization or individual that decides how and why EU citizens' personal data is processed.
Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:
Enter the email address where you'd like the Privacy Policy delivered and click "Generate."
You'll be able to instantly access and download your new Privacy Policy.
So if your company, for example, takes payment details from EU citizens, collects their names and email addresses, or stores browser information on a website that's accessible from within the EU - it's a data controller, and may be called upon to help an EU citizen exercise their data rights.
Sounds daunting? Well, in most cases, it should be relatively simple - so long as you have the right systems in place.
Let's take a look at these 8 user rights and how to successfully address them.
If you're processing someone's personal data, they have a right to know about it - everything about it. The GDPR requires that you inform your users about:
Under Article 12 of the GDPR, the information above needs to be provided in "a concise, transparent, intelligible and easily accessible form, using clear and plain language."
The only way you can fulfill this requirement is by having a Privacy Policy. A Privacy Policy is required by law for any individual or organization that processes the personal data of EU citizens.
Here's an excerpt from Soundcloud's Privacy Policy, where Soundcloud explains what data it collects from users who create an account.
If one of your users exercises their right to be informed, you can just point them to your legally compliant Privacy Policy. If you don't have one, you need to create one.
Under Article 15 of the GDPR, your users are allowed to request information about any of their personal data that your company is processing. This is known as a Subject Access Request.
The information your company might be asked to provide includes:
Recital 59 of the GDPR says that "modalities should be provided for facilitating the exercise of the data subject's rights."
In other words, you should have a system. The GDPR also recommends that you "provide means for requests to be made electronically."
You may wish to provide a Subject Access Request form on your website.
The University of Southampton in the UK provides such a form. Here's a part of it:
A form like this makes it easy and convenient for your users to exercise their rights.
Article 5 (1)(d) of the GDPR lists "accuracy" as one of the fundamental principles of data processing. The corresponding right can be found in Article 16 as the right to rectification. This right gives users the opportunity to request that your company corrects any inaccurate data that it holds about them.
Your company might not receive enough rectification requests to warrant a dedicated form. However, you still need to make reference to rectification in your Privacy Policy.
Here's how investment group Octopus Ventures facilitates its users' rectification requests in a chart in its Privacy Policy:
The right to erasure can be found in Article 17 of the GDPR. Sometimes called the "right to be forgotten," this is one of the best-known parts of the GDPR - but the GDPR really only codified an existing legal principle.
The right to erasure stems from a court case, Google Spain v AEPD, Mario Costeja González (2014), in which Mario Costeja Gonzalez successfully requested that Google remove several references to him in its search results. The decision in the case has been somewhat misunderstood, with some believing that anyone now has the right to remove their name from Google. This isn't exactly what the right to erasure imparts - but it does give users the right to request deletion of their personal data in certain circumstances.
There are certain conditions under which your company can, and should, refuse to comply with a user's data erasure request. However, you must comply if:
Certain conditions related to children also apply, as per Article 8.
It follows that you should not comply if you need to keep processing the user's data in order to carry out whatever task you were using it for. You might have to consider whether the user has the right to restrict or object to that processing.
To put this in context, here's an excerpt from jewelry company Silverado's Privacy Policy:
It seems reasonable that a user's personal data would need to be kept on file whilst their order is processed or any ongoing issues are resolved. The third condition might also be justifiable if the user's behavior is under investigation, or if there is a risk that the user will misuse the company's service again.
As an alternative to requesting rectification or erasure of their personal data, a user can request that your company refrains from doing particular things with their data. This right in Article 18.
Here's an example of a situation in which an individual might request to have processing restricted, provided by the European Commission:
This might be an option for users who are unable to have their data erased for some of the reasons above. Or, it might be a suitable temporary measure while your company considers a user's objection to the processing of their data.
If a user objects to your company's processing of their data or makes a rectification request and you aren't able to immediately comply, you should always consider restricting processing while you deal with this request.
Recital 67 of the GDPR suggests a few ways that you might manage this request. You could:
Generally speaking, your company shouldn't process restricted data in any way other than to store it.
Article 20 of the GDPR gives users the right to request a copy of any of their personal data that your company possesses. The idea is that individuals should truly own their personal data. They should be able to take it from you and give it to another organization if they want to.
Recital 68 of the GDPR states that the right to data portability "should not apply where processing is based on a legal ground other than consent or contract." This means that you don't need to comply with a request for data portability unless you ask your users for consent to process their data or have a contract with them.
There are services offered in some EU Member States which facilitate data portability on behalf of users. Midata is one such system and is available in the UK, Germany, The Netherlands, and Switzerland (although Switzerland is not an EU Member State, the GDPR still applies there).
If your company wishes to implement its own system of data portability, the only specifications given at Article 20 of the GDPR are that the data is offered in "a structured, commonly used and machine-readable format." This means you could develop a system of exporting user data to an Excel file or Word document.
If you're using third-party database software, it's likely that this software has a facility for exporting user data to such a format.
Recital 69 of the GDPR also states that "where technically feasible, the data subject should have the right to have the personal data transmitted directly from one controller to another."
Here's how education organization Advance HE covers data portability in its Privacy Policy:
Article 21 of the GDPR gives users the right to object to the processing of their data.
This is most important in the context of direct marketing.
Unlike most of the other rights, in this context there are no caveats. The user has an absolute right to object to direct marketing. If a user states that they no longer wish to receive direct marketing materials from your company, you must obey. This doesn't mean, however, that you'll also have to delete their personal data.
The right to object to processing other than for the purposes of direct marketing is more complicated and the user must give their grounds for making such an objection. There are reasons that your company might refuse this to honor an objection, such as if you have a legitimate interest in processing the user's data to defend against legal claims.
Recital 70 of the GDPR states that the right to object to direct marketing "should be explicitly brought to the attention of [your users] and presented clearly and separately from any other information."
Your company must include an "unsubscribe" link in any direct marketing emails. You must also make reference to the ways that your users can object to direct marketing in your Privacy Policy.
Here's how clothing retailer H&M does this:
The right to object to certain types of automated decision-making is probably the most obscure of the user rights, and is found in Article 22 of the GDPR. Before looking at what this right entails, it's worth explaining which sorts of companies it applies to.
According to the Information Commissioner's Office (ICO), the UK's supervisory authority, "Article 22 applies to solely automated individual decision-making, including profiling, with legal or similarly significant effects."
Let's break that down.
Unless your company makes decisions of this sort, there's no need to worry about this user right.
If your company engages in solely automated decision-making that could produce significantly negative effects on your users, you need to offer a means for your users to have the decision reviewed and reconsidered by a human. This means assigning this job to members of staff in your company.
Here's how Novitas Loans offers this in its Privacy Policy:
Failing to fulfill a request to facilitate a user's rights under the GDPR can lead to a complaint to your supervisory authority, and the potential for a large fine. You may find that your company never receives such a request, but you still need to have systems in place so that you can respond if this happens. Your company also needs to demonstrate its readiness to comply in its Privacy Policy.
The rights are all distinct, and different systems will be required to facilitate each one. Here are the factors that are common to many or all of them:
Create Privacy Policy, Terms & Conditions and other legal agreements in a few minutes. Free to use, free to download.
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.
20 May 2022