Chapter 6: User Rights Under the GDPR

User Rights Under the GDPR

While the majority of the GDPR lays out the rules and guidelines for those who wish to collect or process the personal data of residents of the EU, Chapter 3 focuses on the rights of those data subjects whose personal information is being handled.

By clearly spelling out the rights of data subjects and how these rights affect data handlers, the GDPR creates a system of checks and balances to ensure that data subjects have forms of recourse in the event that their personal information is abused or mishandled.

By informing both data subjects and data controllers/processors of these rights, all parties involved are made aware of how personal data should be handled so that they can keep an eye out for accidental or purposeful mishandling.

For example, the right to rectification gives data subjects the right to review and correct their personal data in the event that it is incorrect or changes. The GDPR has rules in place requiring data controllers to have a procedure for making these corrections, and gives the data subjects the right to have those corrections made.

By including this right into the data subject-data controllers relationship, there is rarely a need for intervention from an authority and the data subjects themselves are able to police their own data.

Without these rights, it would be nearly impossible for the authoritative body to monitor all data handling in the EU.

The right to rectification is just one of the eight fundamental rights of the GDPR which empower data subjects to have their personal information used only how they wish within the confines of the law.

Let's take a look at these rights and how they protect the privacy of data subjects.

The Eight Data Subject Rights of the GDPR

The eight fundamental rights of data subjects under the GDPR can be found in Articles 15 through 22. These rights can be summarized as follows:

1. The right to be informed
2. The right of access by the data subject
3. The right to rectification
4. The right to erasure (commonly referred to as "the right to be forgotten")
5. The right to restriction of processing
6. The right to data portability
7. The right to object
8. The right to human intervention

You may be able to infer what some of these rights entail in part or in whole, but let's discuss each one so that we have a complete understanding of what they entail.

The Right to Access

Article 15 of the GDPR describes the right of access by the data subject.

This right allows individuals to know if a data controller or processor possesses personal information about them and if that information is being processed.

The individual also has the right to request access to that information as well as answers to any of the following questions:

• What is the purpose for processing my data?
• What categories of my personal data are being processed?
• With whom has my personal information been shared (or with whom will it be shared in the future)?
• How long will my information be kept?
• Can my information be updated, restricted, or erased?
• Can the processing of my data be objected to?
• Who is the supervisory authority if I need to lodge a complaint?
• What is the source for personal data not directly collected from me?
• Is my data used for automated decision-making?
• What effect might automated decisions have on me?

Article 15 also states that data subjects may request a copy of their personal data from the data controller. It goes on to say that data subjects should be informed of the safeguards in place if their personal data is transferred out of the country.

To summarize, the right to access gives data subjects the right to know if and what information about them is being stored or processed, why it is being processed, with whom it is being shared, and how long it will be kept.

The Right to Rectification

Article 16 of the GDPR covers the right of rectification, which in essence says that data controllers must correct, update or complete personal data that is inaccurate or incomplete at the request of the data subject.

This goes along with the right of access in Article 15, where data subjects can request a copy of their personal data, know if it is being processed, and know if it can be updated. This way data subjects can check their personal data to ensure that it is accurate, complete, and up to date, and request corrections if it is not.

The Right to Erasure

Commonly known as "the right to be forgotten," Article 17 of the GDPR covers the right to erasure. This right gives data subjects the power to request that their personal information be deleted without undue delay under any of the following circumstances:

• The data is no longer needed to complete the task for which it was collected
• Consent is withdrawn and there is no other legal basis for processing the data
• The data subject objects, as per the right below
• The data has been unlawfully processed

There are a few exceptions to this rule (such as in order to defend against legal claims), but in most cases data subjects have "the right to be forgotten" if they no longer wish to have their personal data used by an organization.

The data controller must make a reasonable effort to erase all data that they possess including what has been shared with other entities and cease all processing of that data.

The Right to Restriction of Processing

Article 18 lays out the rules for restricting processing in cases where the data subjects wishes to enforce control over their personal information without enacting the right to erasure.

Data subjects may enforce this right in any of the following situations:

• When a data subject contests the accuracy of their personal information
• When personal data has been unlawfully processed
• When the controller no longer needs the data but the data subject does not want it deleted for legal reasons
• When the right to object has been used

Data subjects may restrict the processing of their personal information to only operations for which they have given express consent or for legal reasons, and the data controller must inform the data subjects before the restriction is lifted.

The right to restriction allows data subjects to control their data even if they do not wish for their data to be erased.

This can be crucial for legal claims that require evidence, though the data subject no longer wants his or her data processed for other reasons. It is also important in situations where objections or investigations take place and a temporary pause is to be put on the data to prevent further processing.

Notification Obligations

Article 19 discusses the notification obligations of data controllers in the event that a data subject enacts the right to rectification, erasure, or restriction as described in Articles 16, 17, and 18. The data controller is required to notify the third parties with whom the data has been shared so that the third parties may also rectify, erase, or restrict the use of that data.

This ensures that a data subject's personal information can be corrected, erased, or restricted by all parties that possess it, not just the data controller.

Otherwise the data controller would simply delete the data it possesses and the third party processor would continue to use it.

Article 19 goes on to say that data subjects have the right to request to know the recipients of their personal data so that they can ensure all copies of their personal information are rectified, erased, or restricted as per the data controller's notification obligation.

The Right to Data Portability

Article 20 of the GDPR covers the right to data portability. This right only applies to data that's processed based on either consent or a contract, and that's processed using automated means.

In such a case, this right gives data subjects the ability to request a copy of their personal data in a structured, commonly used and machine-readable format. When technically feasible, the data subjects can request the information be transmitted to a different business for processing.

The Right to Object

Article 21 of the GDPR gives data subjects the right to object to the processing of their personal data if they believe that there is not a legal basis for doing so as described in Article 6 of the GDPR.

Let's take a look at that section:

1. The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
2. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.
3. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
4. At the latest at the time of the first communication with the data subject, the right referred to in paragraphs 1 and 2 shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.
5. In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications.
6. Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1), the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

In the event that a data subject challenges a data controller's legal basis, any processing of their data should be postponed until the data controller can prove its legal basis for doing so.

Under Article 21, data subjects also have the right to object to direct marketing, including more general forms of targeting such as demographic profiling. If a data subject objects to direct marketing, any processing of their personal data for such reasons must cease.

Recital 69 gives individuals the right to object to or challenge when a business invokes legitimate interest as a legal basis for processing their personal information. If an individual feels that the business' legitimate interests interfered with their own rights or interests, then that individual may challenge the decision.

Recital 69. Right to object*

Where personal data might lawfully be processed because processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, or on grounds of the legitimate interests of a controller or a third party, a data subject should, nevertheless, be entitled to object to the processing of any personal data relating to his or her particular situation. It should be for the controller to demonstrate that its compelling legitimate interest overrides the interests or the fundamental rights and freedoms of the data subject.

For example, if a website collects shipping addresses for delivering products purchased online, then the company sends advertisements to those same addresses without obtaining consent to do so, some of the recipients may see this as undesirable junk mail.

Those data subjects would have the right to challenge the website's decision to use their shipping information in this manner without permission. If it was found that the website was indeed infringing on the rights of their data subjects, the data controller would likely be penalized.

Recital 69 also stipulates that it is the responsibility of the data controller to prove that its legitimate interests are compelling and override the rights, freedoms, and interests of the data subjects who challenged them. Such a situation could quickly turn into a costly burden, which is why understanding the law regarding legitimate interests is so important.

The Right to Human Intervention

Article 22 of the GDPR discusses user rights in the event of automated decisions. Here is the exact language of Section 1 of Article 22:

1. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

This right protects data subjects from poor decisions that human intervention might prevent but automated processes do not.

Note that Section 1 of Article 22 does not apply in cases where:

• Express consent is given for the automated processes
• Automated processes are necessary to complete a contract between the data subject and the data controller
• Another relevant and adequate law from the Union or a Member State allows it

The above exceptions are still subject to human intervention and the data subject can object if they do not agree with how their data is being processed.

The data controller is still responsible for having suitable safeguards in place to protect the rights and privacy of data subjects, and these data subjects should, at the very least, be able to express their concerns and obtain human intervention on the part of the data controller.

Data Controller Obligations

While all of these rights should be reviewed and understood by both data controllers and data processors to ensure a complete understanding of the GDPR, some of the user rights are targeted primarily at controllers while others are meant for processors. Most of the responsibility falls on data controllers as they decide what is done with the data and who has access to it.

Let's take a look at which rights pertain more directly to the data controller and why:

The Right to Access

The right of access gives users the right to find out if a data controller or processor possesses or is processing their personal data. This includes knowing what information is possessed, why it is being processed, and who is processing it.

While Article 15 of the GDPR specifically mentions both data controllers and data processors, the fact that a data controller must notify inquiring users of who their data has been shared with makes the data controller the obvious choice when invoking the right of access.

The right of access pertains more to data controllers as they are the ones who possess that data.

Data processors only possess this data for a limited time until the task they were recruited for is completed. As the probable collector of the data, the data controller is the one who is more likely to have to deal with data access requests and inform users what is being done with their data and send copies of that data if requested.

Data controllers must answer all of the questions in Article 15 if requested by a data subject, while only some of these questions are usually answerable by data processors.

The Right to Rectification

This right applies more often to data controllers.

This is because any corrections requested by a data subject would first be corrected in the records of the data controller who is utilizing and potentially sharing that data before ensuring that it is corrected elsewhere along the path of distribution.

Since the data processor only processes the data it is provided with from the data controller, it is usually the responsibility of the data controller to ensure that the data it possesses is accurate and up to date.

Most rectification requests will be sent to the data controller and corrected in the controller's database.

The Right to Erasure

The right to erasure is usually targeted at the data controller for the simple reason that it requires the erasure of said data at every level. That is, after the request has been made by the data subject, the data controller is responsible for seeing that all parties with whom the data has been shared also erased their copies of the data in question.

The request will usually be sent to the data controller who is then responsible for notifying any data processors it employs to also erase any copies of that data that have been shared with them.

For this reason, it makes sense for individuals to simply invoke this right to the data controller and have the controller notify the processors it's affiliated with and direct them to delete the data.

Data Processor Obligations

While data controllers are largely responsible for ensuring that personal data is handled properly by all parties involved, some of the user rights are intended particularly for the data processor or affect both data controllers and data processors equally.

These are:

The Right to Erasure

While the request to invoke the right of erasure is usually handled between the data subject and data controller, data processors must also be aware of this right and have a procedure in place for how to handle it.

The request may come from the data controller or the data subject directly, but in either case the data processor has the obligation to erase the data in question when applicable.

The Right to Restriction of Processing

The right to restrict processing can be invoked for either a data controller or data processor. If the request goes to the data controller, the data controller is obligated to notify any data processors it employs about the request for a data processing restriction.

But keep in mind that since either the data controller or data processor may be responsible for the action that led to a request for data restriction, either could be the recipient of the request directly from the data subject and may be the only party affected.

The Right to Rectification

Again, while this request will usually be made to data controllers, data processors should also have a procedure in place so that they can make corrections and updates to the information they possess and process about a data subject.

Continuing to process inaccurate or incomplete data after the right to data rectification has been invoked could potentially land the data processor and data controller in hot water.

User Rights Summaries

1. The right of access gives data subjects the right to know if their personal information has been collected and is being processed, as well as what information, why and by whom.
2. The right to rectification gives data subjects the right to have their personal information corrected and updated in the records of data controllers and processors.
3. The right to erasure gives data subjects the right to have their personal information deleted from the records of data controllers and processors.
4. The right to restriction of processing gives data subjects the right to pause, postpone, and limit the processing of their personal information.
5. The right to notification gives data subjects the right of having data controllers and data processors notify other data processors of requests made for rectification, erasure, and restriction of their data to ensure all parties are informed of the data subject's will.
6. The right to data portability ensures that the data subject retains ownership of their personal data and can request copies and transfers of their data to do with as they please.
7. The right to object gives data subjects the right to object to data collection and processing activities that they feel infringes on their rights or is not compliant with the GDPR in order to protect their privacy and interests.
8. The right to human intervention ensures that data subjects will not face the consequences of automated decisions without their consent, and grants the ability to request human intervention.

Remember that some of these rights only apply in specific circumstances and may come with exceptions. Become familiar with the details of each, when each applies and how to facilitate each right.