8 User Rights Under the GDPR

The EU Commission describes the General Data Protection Regulation (GDPR) as:

"an essential step to strengthening citizens' fundamental rights in the digital age [which] provides tools for gaining control of one's personal data."

The GDPR achieves this by setting out eight rights that all EU citizens have when it comes to the processing of their personal data. These 8 rights can be found in Chapter 3 of the GDPR.

If your company is a data controller, it's responsible for facilitating the exercise of these rights on EU citizens' behalf. According to the definitions set out in Article 4 of the GDPR, a data controller is any organization or individual that decides how and why EU citizens' personal data is processed.

So if your company, for example, takes payment details from EU citizens, collects their names and email addresses, or stores browser information on a website that's accessible from within the EU - it's a data controller, and may be called upon to help an EU citizen exercise their data rights.

Sounds daunting? Well, in most cases, it should be relatively simple - so long as you have the right systems in place.

Let's take a look at these 8 user rights and how to successfully address them.

The Right to Be Informed

If you're processing someone's personal data, they have a right to know about it - everything about it. The GDPR requires that you inform your users about:

• Who you are and how they can contact you
• Why you're processing their personal data
• What types of personal data you're processing
• Details about your lawful basis for processing their data (there are six of these, set out at Article 6 of the GDPR)
• How long you'll be storing their data
• What types of organizations you'll be sharing it with (eCommerce platforms, email providers, etc.)
• What rights the user has over their data

Create a Privacy Policy

Under Article 12 of the GDPR, the information above needs to be provided in "a concise, transparent, intelligible and easily accessible form, using clear and plain language."

The only way you can fulfill this requirement is by having a Privacy Policy. A Privacy Policy is required by law for any individual or organization that processes the personal data of EU citizens.

Here's an excerpt from Soundcloud's Privacy Policy, where Soundcloud explains what data it collects from users who create an account.

If one of your users exercises their right to be informed, you can just point them to your legally compliant Privacy Policy. If you don't have one, you need to create one.

The Right of Access

Under Article 15 of the GDPR, your users are allowed to request information about any of their personal data that your company is processing. This is known as a Subject Access Request.

The information your company might be asked to provide includes:

• Confirmation of whether you're processing a user's data
• A copy of any of the user's personal data you're storing
• Any information that should be in your Privacy Policy

Consider Creating a Subject Access Request Form

Recital 59 of the GDPR says that "modalities should be provided for facilitating the exercise of the data subject's rights."

In other words, you should have a system. The GDPR also recommends that you "provide means for requests to be made electronically."

You may wish to provide a Subject Access Request form on your website.

The University of Southampton in the UK provides such a form. Here's a part of it:

A form like this makes it easy and convenient for your users to exercise their rights.

The Right to Rectification

Article 5 (1)(d) of the GDPR lists "accuracy" as one of the fundamental principles of data processing. The corresponding right can be found in Article 16 as the right to rectification. This right gives users the opportunity to request that your company corrects any inaccurate data that it holds about them.

Your company might not receive enough rectification requests to warrant a dedicated form. However, you still need to make reference to rectification in your Privacy Policy.

Here's how investment group Octopus Ventures facilitates its users' rectification requests in a chart in its Privacy Policy:

The Right to Erasure

The right to erasure can be found in Article 17 of the GDPR. Sometimes called the "right to be forgotten," this is one of the best-known parts of the GDPR - but the GDPR really only codified an existing legal principle.

The right to erasure stems from a court case, Google Spain v AEPD, Mario Costeja González (2014), in which Mario Costeja Gonzalez successfully requested that Google remove several references to him in its search results. The decision in the case has been somewhat misunderstood, with some believing that anyone now has the right to remove their name from Google. This isn't exactly what the right to erasure imparts - but it does give users the right to request deletion of their personal data in certain circumstances.

Don't Automatically Comply

There are certain conditions under which your company can, and should, refuse to comply with a user's data erasure request. However, you must comply if:

• The personal data is no longer required for its intended purposes.
• The user has withdrawn consent for your company to process their data.
• Your company is processing the user's data unlawfully.
• Your company has a legal obligation to erase the data.
• Your company cannot argue that its legitimate interests in processing the user's data outweigh the user's right to have it erased.

Certain conditions related to children also apply, as per Article 8.

It follows that you should not comply if you need to keep processing the user's data in order to carry out whatever task you were using it for. You might have to consider whether the user has the right to restrict or object to that processing.

To put this in context, here's an excerpt from jewelry company Silverado's Privacy Policy:

It seems reasonable that a user's personal data would need to be kept on file whilst their order is processed or any ongoing issues are resolved. The third condition might also be justifiable if the user's behavior is under investigation, or if there is a risk that the user will misuse the company's service again.

The Right to Restrict Processing

As an alternative to requesting rectification or erasure of their personal data, a user can request that your company refrains from doing particular things with their data. This right in Article 18.

Here's an example of a situation in which an individual might request to have processing restricted, provided by the European Commission:

This might be an option for users who are unable to have their data erased for some of the reasons above. Or, it might be a suitable temporary measure while your company considers a user's objection to the processing of their data.

If a user objects to your company's processing of their data or makes a rectification request and you aren't able to immediately comply, you should always consider restricting processing while you deal with this request.

Have a System for Handling Restricted Data

Recital 67 of the GDPR suggests a few ways that you might manage this request. You could:

• Move the restricted data to a separate system
• Temporarily make the data unavailable
• Temporarily take the data down from your website

Generally speaking, your company shouldn't process restricted data in any way other than to store it.

The Right to Data Portability

Article 20 of the GDPR gives users the right to request a copy of any of their personal data that your company possesses. The idea is that individuals should truly own their personal data. They should be able to take it from you and give it to another organization if they want to.

Recital 68 of the GDPR states that the right to data portability "should not apply where processing is based on a legal ground other than consent or contract." This means that you don't need to comply with a request for data portability unless you ask your users for consent to process their data or have a contract with them.

Consider a Third Party System

There are services offered in some EU Member States which facilitate data portability on behalf of users. Midata is one such system and is available in the UK, Germany, The Netherlands, and Switzerland (although Switzerland is not an EU Member State, the GDPR still applies there).

If your company wishes to implement its own system of data portability, the only specifications given at Article 20 of the GDPR are that the data is offered in "a structured, commonly used and machine-readable format." This means you could develop a system of exporting user data to an Excel file or Word document.

If you're using third-party database software, it's likely that this software has a facility for exporting user data to such a format.

Recital 69 of the GDPR also states that "where technically feasible, the data subject should have the right to have the personal data transmitted directly from one controller to another."

Here's how education organization Advance HE covers data portability in its Privacy Policy:

The Right to Object

Article 21 of the GDPR gives users the right to object to the processing of their data.

This is most important in the context of direct marketing.

Unlike most of the other rights, in this context there are no caveats. The user has an absolute right to object to direct marketing. If a user states that they no longer wish to receive direct marketing materials from your company, you must obey. This doesn't mean, however, that you'll also have to delete their personal data.

The right to object to processing other than for the purposes of direct marketing is more complicated and the user must give their grounds for making such an objection. There are reasons that your company might refuse this to honor an objection, such as if you have a legitimate interest in processing the user's data to defend against legal claims.

Make Users Aware of Their Right to Object

Recital 70 of the GDPR states that the right to object to direct marketing "should be explicitly brought to the attention of [your users] and presented clearly and separately from any other information."

Your company must include an "unsubscribe" link in any direct marketing emails. You must also make reference to the ways that your users can object to direct marketing in your Privacy Policy.

Here's how clothing retailer H&M does this:

Rights Related to Automated Decision-Making and Profiling

The right to object to certain types of automated decision-making is probably the most obscure of the user rights, and is found in Article 22 of the GDPR. Before looking at what this right entails, it's worth explaining which sorts of companies it applies to.

According to the Information Commissioner's Office (ICO), the UK's supervisory authority, "Article 22 applies to solely automated individual decision-making, including profiling, with legal or similarly significant effects."

Let's break that down.

• "Solely automated individual decision-making" - for example, an electricity company automatically cuts off a customer's electricity supply if they fail to pay their bills. "Solely" means no human is involved.
• "Including profiling" - profiling means using data about a person or group to predict their behavior and making decisions accordingly. Credit checks are one example of profiling.
• "With legal or similarly significant effects" - a decision leading to increased state surveillance would have a "legal effect." Recital 71 of the GDPR suggests that a solely automated denial of credit or certain recruitment decisions would be significant enough to fall within the scope of Article 22.

Unless your company makes decisions of this sort, there's no need to worry about this user right.

Always Offer Human Intervention

If your company engages in solely automated decision-making that could produce significantly negative effects on your users, you need to offer a means for your users to have the decision reviewed and reconsidered by a human. This means assigning this job to members of staff in your company.

Here's how Novitas Loans offers this in its Privacy Policy:

Facilitating Users' Rights

Failing to fulfill a request to facilitate a user's rights under the GDPR can lead to a complaint to your supervisory authority, and the potential for a large fine. You may find that your company never receives such a request, but you still need to have systems in place so that you can respond if this happens. Your company also needs to demonstrate its readiness to comply in its Privacy Policy.

The rights are all distinct, and different systems will be required to facilitate each one. Here are the factors that are common to many or all of them:

• You must inform your users via your Privacy Policy that they can make user rights requests.
• Your company can't normally charge a fee for responding to a user rights request, but it can charge for requests that are "manifestly unfounded or excessive" or repetitive.
• Your company must always respond to requests, and must always endeavor to comply, except where requests are "manifestly unfounded or excessive."
• Your company has to respond to every request "without undue delay" - within a maximum of one month. It may be reasonable to take longer than this, but you must keep the user closely informed during the process.
• If there are any doubts about the identity of the user making the request, you can ask for ID.