User Rights Developers Need To Know

The data subject rights are a way for individuals to maintain maximum control over their personal data. They are a cornerstone of the GDPR and deeply empowering for individuals in the EU.

Illustration: User Rights Developers Need To Know

However, facilitating data subject rights requests can represent something of a burden for a business. In this chapter, you'll be learning how to reduce this burden by being prepared and having the right systems in place.

Data Subject Rights

These are the eight data subject rights:

  1. The right to be informed
  2. The right of access
  3. The right to rectification
  4. The right to erasure
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object
  8. Right related to automated decision-making

Individuals can access their data subject rights simply by contacting you and making a coherent request.

Each of the data subjects right has different rules associated with it. However, there are certain conditions that are common to most of the rights:

  • You must normally comply with any request
  • You may not normally charge data subjects for exercising their rights
  • You may ask for ID
  • You must respond "without undue delay." Normally, you have a maximum of one calendar month to respond. A further two-month extension can apply in complex cases

You'll notice there is a "normally" in some of the points above. Like with practically everything in the GDPR, there are exceptions. We'll look at these towards the end of this chapter.

The Role of Data Processors

Data subject rights are largely a data controller's responsibility. A data processor must not respond directly to data subjects who have made a request. The sections of the GDPR are addressed to data controllers.

However, data processors still play an important role when it comes to data subject rights. For instance, they are required to:

  • Inform data controllers if they have received a request (allowing the controller to respond)
  • Assist the data controller in retrieving, modifying or erasing the relevant personal data

Data processors should also:

  • Develop data processing systems in such a way that data subjects and/or data controllers can control personal data (front end)
  • Ensure that their databases and systems maintain personal data in such a way that it can be easily accessed or modified when required (back end)

Dealing with Data Subject Rights

Your users could be in contact at any moment to request copies of, delete, or make amendments to, their personal data. This should keep your data processing practices in check.

There are two ways to significantly reduce the amount of work you'll have to in relation to data subjects rights requests:

  1. Collect and store as little personal data as possible
  2. Have your users do the work themselves.

"Catch All" Approaches

We're going to look at some specific solutions and considerations in relation to each data subject right. But first, it's worth noting that many companies provide a "catch all" method that allows data subjects to access most or all of their rights in one place.

Bare Minimum

The bare minimum you can do to allow individuals the opportunity to exercise their data subject rights is to provide an email address via which they can make requests. You must disclose this, along with details of the data subject rights, in your Privacy Policy.

Here's an example of this "bare minimum" approach from Tahola. First Tahola lists the data subject rights:

Tahola Privacy Policy: GDPR Rights clause

Then a contact email address is provided for those who wish to exercise their rights:

Tahola Privacy Policy: Contact Details clause

This is not an ideal solution from your users' perspective, and it's actually probably not going to be the most efficient method from your perspective, either.

Even if you're looking at other solutions, you should still let people know that they can email you if they want to make a data subject rights request. This ensures you're covering all bases.

Multi-purpose Form

You may sometimes receive illegible, confusing or invalid requests. You can reduce the possibility of this by asking people to make their requests in a specific format. This could save you a lot of back-and-forth with your users, and it also makes things easier from their perspective.

Here's Danone's "catch-all" solution. After an individual fills in their identity and contact details, they are presented with this web form:

Excerpt of Danone Data Subject Rights Request form

A form like this should help make sure you receive coherent, actionable data subject rights requests.

Privacy Dashboard

The ideal solution is to provide your users with account controls or a "privacy dashboard" that will allow them to access and modify personal data directly.

Facebook offers its use a range of account controls. Many of these correlate with the GDPR's data subject rights. Here's the "Your Facebook Information" screen in Facebook's settings:

Facebook: Your Facebook Information screen

These options allow users to directly exercise a number of their rights.

Choosing "Managing your information" leads to a series of other options, which satisfy other data subject rights:

Facebook Manage Data page: Options menu

For all of Facebook's controversies around privacy, this is a great example of how to hand personal data control to your users.

Bear in mind, however, that if you provide account controls to your users, you must still respond to requests from individuals who do not have an account with your company.

Let's take a look at some different considerations and approaches in respect of the individual data subject rights.

Right to Be Informed

The right to be informed is mostly a "passive" right - users do not have to do anything in order to invoke it. Ideally, everything a customer needs to know will be detailed in your Privacy Policy.

However, if anything is missing from your public-facing privacy information, or if users want a greater level of detail about how you treat personal data, they can make a request under the right to be informed.

If you're a data controller, your obligations under the right to be informed are to:

  • Create a "concise, transparent, intelligible and easily accessible" Privacy Policy that provides comprehensive information about what personal data you process.
  • Make sure this information is made available to individuals at key points (e.g. when you collect personal data from them, and when you communicate with them using that personal data).
  • If you have obtained personal data from another source, provide the data subjects with all relevant information within one month (unless it would involve a disproportionate effort to do so).

Data processors must offer all requisite information to their data controllers, and be rigorous in their record-keeping.

Fulfilling the Right to Be Informed

The Article 29 Working Party suggests taking a "layered approach" to providing individuals with privacy information. Consider all the different ways you can provide this information and how you can make it easy for individuals to access it.

You must ensure your Privacy Policy and all associated information is presented in "clear and plain language."

To help you achieve this, you can provide a short version of your Privacy Policy alongside the full version.

Here's how Silktide does this:

Silktide Privacy Policy: Short version

And here's an example from Goal Click:

Goal Click Privacy Policy: Short Version highlighted

Yola provides a short summary of each section of its Privacy Policy alongside the full information:

Yola Privacy Policy: How Do We Collect Such Information clause - Active Collection section with Short Version

You can make your Privacy Policy available alongside account controls and contact details in a "privacy dashboard." This is a good way to ensure all relevant information is available in one place.

Here's how Goverlan does this:

Screenshot of Goverlan Privacy Dashboard

Your Privacy Policy could be present in a footer that persists across the pages of your website. Here's an example from TechCrunch:

TechCrunch website footer with Privacy Policy link highlighted

You must also make sure your Privacy Policy is presented at key points when you collect user data.

For example, here's how a mobile app can provide a link to its Privacy Policy at account creation in its mobile app:

Mobile app sign-up screen with Privacy Policy link highlighted

You should present your Privacy Policy even when you're only asking for a small amount of personal data, such as when a user signs up for your newsletter.

Here's an example from Matomo:

Matomo sign up for newsletter pop-up with Privacy Policy link highlighted

Right of Access

The right of access requires you to provide users with a copy of any personal data you hold on them. This is probably the most commonly exercised of the data subject rights, and you should make sure it's a simple process for you and your users.

Failing to comply with a "subject access request" can lead to big problems for your company.

It's important to remember that the personal data amenable to subject access requests might not reside in neatly arranged databases.

The types of personal data you need to provide could include:

  • Emails (including internal emails) that mention or could identify a person
  • Log data
  • Chat logs
  • Phone records
  • Access records (e.g. occasions on which a user logged into their account)
  • Information associated with behavioral advertising
  • Confirmation of whether or not you're processing a person's personal data

Here are some things to think about in respect of the right of access:

  • Make sure you have data minimization locked down, so the amount of data you're required to provide users with is kept to a minimum.
  • Conduct a data audit to ensure you know where customer data is "hiding."
  • Consider using a Content Services Platform (CSP) if you keep voluminous records for each user. This can help you centralize access to all personal data associated with a given user.
  • Ensure that everyone within your company can recognize a subject access request, and knows what to do when they receive one.

These considerations apply equally to data controllers and data processors.

Although data processors won't be providing personal data to a user directly, they must provide it to the data controller on demand.

Data processors must be aware that the controller has one month maximum to respond to the request, and this includes the time they spend communicating with the data processor. Flustering, delaying or providing incomplete records is an easily avoidable way for a data processor to lose clients.

Facilitating Requests for Access

Where you can provide personal data to a user up-front, make it easy for them to access it directly via account controls. This should reduce the number of actual subject access requests you receive. This is a common feature for websites and apps which allow users to create an account.

Account controls will generally allow access to personal data that the user provided your company in the first place. It might include:

  • Account details
  • Contact details
  • Post or comment history

You could offer a menu of options within an account that offers options, such as the following:

Generic account menu options list

Any of this information could constitute personal data, and there is no reason not to give the user direct access to it.

Providing something like "Access Tool" can help give extensive, instant access to personal data associated with an account. Here's some of the information a user could access:

Generic account info and connections options

Remember, though, that you still need a way to respond to subject access requests for non-account holders. Many organizations provide a subject access request form specifically for facilitating the right of access. This could be a secure web form, or a downloadable document that can be sent to you via email.

Here's an example:

Generic Subject Access Request Form

Right to Rectification

The right to rectification allows individuals to request that any inaccurate data held on them is corrected. This is in accordance with the GDPR's principle of accuracy.

Allowing users to keep their personal data accurate and up-to-date works for everyone's benefit. It can even reduce the likelihood of a data breach occurring. For example, having mismatched contact details on file can cause personal data to be sent to the wrong person.

The right of rectification is important in ensuring confidentiality and minimizing unwanted contact.

Here are some things to think about in respect of the right to rectification:

  • The more personal data you collect, the more likely you are to be storing inaccurate personal data. This is relevant to the principle of data minimization.
  • The older the data is, the more likely it is to be inaccurate. People move house, get new email addresses, they could change their name, title, or gender identity. This is one of many reasons to ensure you comply with the principle of storage limitation.
  • Depending on the context of your business, a Customer Relationship Management system can be particularly helpful in allowing your users to take ownership over their personal data.

You're responsible for communicating the changes to any third parties with whom you have shared the personal data. This is particularly important for data controllers working with data processors, but it could also apply to data processors working with subprocessors.

You don't have to change personal data if you are certain that the personal data is correct. You must justify your decision and let the individual know why you have come to this decision.

Facilitating Requests for Rectification

Again, your obligations under the right to rectification can be partly met by user account controls.

Let's look at an example from Pinterest. A simple "edit" icon is included as part of the main profile page:

Pinterest Profile page with Edit option highlighted

Clicking on this icon directs users to an account overview, where they can change personal details associated with their account:

Pinterest edit profile page

And here's how this looks in the Pinterest mobile app. First, the settings menu:

Pinterest app Settings menu with Edit profile link highlighted

Then, the "Edit profile" screen itself after clicking:

Pinterest Edit profile screen

Pinterest collects only very basic user information, but you can extend this principle as far as is appropriate for your users.

Right to Erasure

The right to erasure is also known as the "right to be forgotten." It ties in closely with the principle of storage limitation.

People have a right to request that you delete any personal data you are holding on them. But this is not an absolute right.

Rather than listing the exceptions to the right to erasure, it's actually easier to list the situations in which you will need to comply.

You must comply with this request if one of the following applies:

  • You're relying on the person's consent to store this personal data, and the individual wishes to withdraw their consent.
  • You're relying on legitimate interests to store this personal data, and the individual's interests in having the data deleted outweigh your interests in storing it.
  • You're holding the personal data in connection with relation to direct marketing, and the individual has registered their objection to this.
  • You collected or are using the personal data in an unlawful way.
  • You don't need the personal data anymore for the purpose for which you collected it.
  • The person has a legal right to have the personal data erased.

You must be especially willing to comply with requests from children (or their guardians), or in relation to personal data that was collected from an individual when they were a child.

The GDPR protects your right to freedom of speech. You don't always have to erase personal data in the public domain simply because a person doesn't like what you have written about them.

Here are some things to think about in respect of the right to erasure:

  • You should make a habit of deleting data that is no longer necessary. This is relevant to the principle of storage limitation.
  • If you're asked to erase personal data, you must also erase backups of that data.
  • In your initial response to the individual, you must ensure that they understand the implications of their request (without trying to dissuade them).
  • When complying with a request for erasure, it isn't normally enough to simply archive the personal data. Identifiers must be completely overwritten where possible.
  • If you genuinely cannot delete personal data following an erasure request, for example because it would require you to delete an entire batch including other personal data, for you must do your best to put it beyond use. This may mean that you have to resort to a form of archiving.

Facilitating Requests for Erasure

If you allow users to create an account, you should make it as easy as possible for them to delete it.

It can be painful to lose customers in this way. But if people are not allowed to erase their personal data easily, they may become frustrated and suspicious.

This can be as simple as offering a link in a menu that lets the user delete the account:

Instagram Account menu with Delete account highlighted

If you're going to ask users to give a reason for deleting their account, then you must include an "other" or "rather not say" option. Individuals do not need to justify their decision to exercise their data subject rights.

You should explain briefly what will happen when the account is deleted. Adding an option to simply deactivate the account may help with customer retention:

Instagram Delete or Deactivate account screen

Right to Restrict Processing

The right to restrict processing allows individuals to limit how you process their personal data. Restricted personal data can still be stored, but cannot be processed in any other way.

Personal data might also be "restricted" if a user has asked to exercise their right to erasure or rectification, and you're waiting for them to provide ID. This puts processing on pause.

Here are some things to consider in respect of the right to restrict processing:

  • You need to have a way to distinguish personal data that has been restricted. You could have a separate, inactive system for storing restricted personal data.
  • Develop a way to render restricted personal data inaccessible to users, and only accessible to certain staff in your company.
  • You may need to temporarily take content down from your website. Consider the measures you can take to secure this data in the meantime.

The European Commission provides the following example of when a restriction of processing would be appropriate:

European Commission: When should I exercise my right to restriction of processing of my personal data - Bank example

Facilitating Requests for Restriction of Processing

The right to restrict processing is somewhat obscure for most people's purposes. If you get requests for restriction of processing, these are likely to be part of a wider request involving other rights.

However, there are contexts in which you will want to provide an easy way for your users to exercise this right. It is possible to build this functionality into the front end of a website or app.

Right to Data Portability

The right to data portability allows individuals to take true ownership of their personal data. To comply with a request for data portability, you must offer the users a copy of their personal data in a well-organized, commonly used format, so they can transfer it to another data controller if they choose to do so. You should even try to carry out this transfer yourself if they ask you to.

The right to data portability is closely linked to the right of access, but there are key differences:

Right of access Right to data portability
Source of personal data Can apply to personal data received from any source. Only applies to personal data received directly from the user.
Type of personal data All personal data. Excludes paper files.
Format of personal data No restrictions, except that the personal data must be provided in a "commonly used electronic form" when the request has been made by "electronic means" (e.g. via email or a web form). Must be a "structured, commonly used and machine-readable format."
Legal bases Applies by default under all legal bases. Only applies where the personal data is being processed under consent or contract.

Here are some things to consider in respect of the right to data portability:

  • You need to include all personal data in your possession that you've collected directly from the individual in question. This might include their:
    • Contact details
    • Account search history
    • Location data
    • Previous contact details
  • You should supply this personal data in an open file format such as CSV, XML, or JSON.
  • If a user requests that you transfer their personal data to another data controller, you should try to find a way of doing this. However, if it's not possible, you can decline this part of their request.

Facilitating Requests for Data Portability

Some social networks have set up automated systems that make it easy for them to fulfill a request for data portability.

Let's take a look at Instagram's method. Users can navigate to a "Your activity" menu with an option to "Download your information:"

Instagram Download Your Data screen

After a short delay while the file is prepared, Instagram emails the user with the relevant information.

Right to Object

The right to object gives individuals a high degree of control over the ways in which their personal data is processed. Individuals can request you to stop processing their personal data in a particular way.

Technically speaking, the right to object is used to object to processing carried out on the grounds of legitimate interests and public tasks. However, practically speaking, it's also helpful to consider the withdrawal of consent as an objection to processing.

If an individual originally consented for you to process their personal data in a particular way, they may also withdraw their consent at any time. The "right to withdraw consent" is, in this context, analogous to the "right to object."

The right to object is mostly about direct marketing. There are other contexts in which the right to object can be invoked, and it can be helpful to think about the right to object in any areas where you're relying on consent.

The right to object to receiving direct marketing is absolute. If you're directly marketing to an individual, regardless of your legal basis for doing so, you must stop if requested.

Here are things to consider in respect of the right to object:

  • At the point that you collect a user's personal data, you must inform them about any rights to object or withdraw consent.
  • It's very important to refer to the rights to object or withdraw consent in your Privacy Policy.
  • You should make absolutely sure you do not send marketing material, in any format, to anyone who has withdrawn consent or, if you're relying on legitimate interests, opted out.
  • The right to object applies to all non-essential cookies, even where they aren't being used for ads. If you're going to refuse an objection, and persist in placing cookies on a user's device, then you must be able to demonstrate an overriding legitimate interest

Data processors, such as email marketing companies, play an important role here. They must provide their data controllers with an efficient way to alert them about any users who have objected to receiving marketing.

Facilitating Requests Under the Right to Object

Where you're relying on legitimate interests, it can sometimes be tricky to offer users an up-front way to exercise their right to object. But there is one context in which this is very simple, and absolutely crucial. You must include an unsubscribe link in all marketing emails.

Here's an unsubscribe link in an email from Entrepreneurs HQ:

Entrepreneurs HQ email footer with Unsubscribe link highlighted

You could also provide unsubscribe options for non-essential "service" or "transactional" emails.

For example, you can offer different email notification options like so:

Medium notifications settings screen

This isn't direct marketing, but it does involve the processing of personal data, and therefore might still be subject to a request under the right to object.

Rights Related to Automated Decision-Making and Profiling

The rights related to automated decision-making and profiling only apply in very particular circumstances. This is not within the scope of this book.

Individuals have a right not to be subject to purely automated decision-making in certain circumstances. You should check Article 22 of the GDPR and guidance from the ICO to see if this applies to your company.

Exceptions to the Rights

We've looked at how you can serve the needs of your users in relation to their data rights.

As a data controller, the default position should be that you will be required to facilitate data subject rights requests. But there are many reasons why you might not have to comply with a data subject rights request.

Whenever you refuse to comply with a request, you must keep a record of your decision. You must also inform the individual in writing of the reasons for your decision, and let them know that they have the right to make a complaint with a Data Protection Authority, or go to court.

Manifestly Unfounded or Excessive Requests

The GDPR recognizes that some data subject rights requests might be unreasonable, or "manifestly unfounded or excessive."

This exception can apply in respect of the rights of access, erasure, rectification, restriction of processing, data portability, and, except in the context of direct marketing, the right to object.

The UK Bar Council (an organization that regulates UK lawyers) suggests that you might consider the following factors when deciding whether a request is "manifestly unfounded or excessive":

  • The number of repeat requests that have been made
  • The nature of the personal data requested
  • The purpose for which you're processing the personal data
  • The frequency with which the personal data changes (for example, if the data has not changed between repeated access requests, you may be justified in not providing a copy of the same personal data several times)

If you decide that a request is unreasonable, you can:

  • Charge a reasonable fee
  • Refuse to carry out the request

You might also be justified in exceeding the one-month deadline, if trying to comply with such a request.

You must be able to justify your decision to refuse or charge for a request.

If you're processing personal data on certain lawful bases, you may not be required to comply with certain data subject rights requests.

None of the rights are absolute on any legal basis, but here are some of the more straightforward exceptions, based on guidance from the ICO.

A tick indicates that you normally will need to comply, a cross indicates that you normally will not need to.

Right to erasure Right to data portability Right to object
Consent The data subject may withdraw their consent
Contract Only applies in the context of direct marketing
Legal obligation
Vital interests
Public task
Legitimate interests Unless there remains an overriding legitimate interest for the processing

These exceptions make sense in context. For example:

  • If you're required to share someone's personal data with the police, the individual cannot stop you from doing this (legal obligation/right to object)
  • If a tax authority holds a person's name and address, they can't be asked to delete them (public interest/right to erasure)
  • If a company has logged someone's contact details and correspondence in connection with the prevention of fraud, it wouldn't be appropriate to provide the person with a copy of this data in a portable format so that it can be transferred to another data controller (legitimate interests/data portability)

Exemptions

There are certain situations where one or more of the data subject rights will simply not apply. For example, a suspected criminal under the investigation of the police cannot be granted access to their file.

EU countries have all implemented their own national data protection law, based on the GDPR. Each has slightly different exemptions. For example, the UK's Data Protection Act 2018 restricts the data subject rights in certain contexts related to immigration control.

The exemptions are unlikely to be relevant for your purposes as a developer, but you should get to know the relevant national laws just in case.

Requesting ID

It's fine to request that a person provides you with some form of ID before you carry out their request. If they don't provide it, you might be justified in refusing the request.

You must be reasonable in your request for ID. Don't be obstructive.

If you have asked a person for ID, the one month deadline period begins once you've received it.

Key Takeaways from This Chapter

The data subject rights are one of the most important aspects of the GDPR. It's down to you to either facilitate (in the case of a data controller) or help facilitate (in the case of a data processor) these rights. There are serious consequences for companies who fail to do this.

  • Be transparent about the data subject rights. Make people aware of their rights in your Privacy Policy and at key points when you collect their personal data.
  • Be ready to comply. Make sure people in your company know what a data subject right request looks like.
  • Make sure you are actually required to carry out a request before you do so.
  • Provide functions within your website or app that allow a user (or data controller) to access their rights directly, so that they don't need to contact you with this request.
  • Remember that you may have to facilitate rights for non-users, too.