On this page
- 1. User Rights Developers Need To Know
- 2. Data Subject Rights
- 3. The Role of Data Processors
- 4. Dealing with Data Subject Rights
- 4.1. "Catch All" Approaches
- 4.1.1. Bare Minimum
- 4.1.2. Multi-purpose Form
- 4.1.3. Privacy Dashboard
- 4.2. Right to Be Informed
- 4.2.1. Fulfilling the Right to Be Informed
- 4.3. Right of Access
- 4.3.1. Facilitating Requests for Access
- 4.4. Right to Rectification
- 4.4.1. Facilitating Requests for Rectification
- 4.5. Right to Erasure
- 5. Exceptions to the Rights
- 5.1. Manifestly Unfounded or Excessive Requests
- 5.2. Legal Basis
- 5.3. Exemptions
- 5.4. Requesting ID
- 6. Key Takeaways from This Chapter
User Rights Developers Need To Know
The data subject rights are a way for individuals to maintain maximum control over their personal data. They are a cornerstone of the GDPR and deeply empowering for individuals in the EU.
However, facilitating data subject rights requests can represent something of a burden for a business. In this chapter, you'll be learning how to reduce this burden by being prepared and having the right systems in place.
Data Subject Rights
These are the eight data subject rights:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Right related to automated decision-making
Individuals can access their data subject rights simply by contacting you and making a coherent request.
Each of the data subjects right has different rules associated with it. However, there are certain conditions that are common to most of the rights:
- You must normally comply with any request
- You may not normally charge data subjects for exercising their rights
- You may ask for ID
- You must respond "without undue delay." Normally, you have a maximum of one calendar month to respond. A further two-month extension can apply in complex cases
You'll notice there is a "normally" in some of the points above. Like with practically everything in the GDPR, there are exceptions. We'll look at these towards the end of this chapter.
The Role of Data Processors
Data subject rights are largely a data controller's responsibility. A data processor must not respond directly to data subjects who have made a request. The sections of the GDPR are addressed to data controllers.
However, data processors still play an important role when it comes to data subject rights. For instance, they are required to:
- Inform data controllers if they have received a request (allowing the controller to respond)
- Assist the data controller in retrieving, modifying or erasing the relevant personal data
Data processors should also:
- Develop data processing systems in such a way that data subjects and/or data controllers can control personal data (front end)
- Ensure that their databases and systems maintain personal data in such a way that it can be easily accessed or modified when required (back end)
Dealing with Data Subject Rights
Your users could be in contact at any moment to request copies of, delete, or make amendments to, their personal data. This should keep your data processing practices in check.
There are two ways to significantly reduce the amount of work you'll have to in relation to data subjects rights requests:
- Collect and store as little personal data as possible
- Have your users do the work themselves.
"Catch All" Approaches
We're going to look at some specific solutions and considerations in relation to each data subject right. But first, it's worth noting that many companies provide a "catch all" method that allows data subjects to access most or all of their rights in one place.
Here's an example of this "bare minimum" approach from Tahola. First Tahola lists the data subject rights:
Then a contact email address is provided for those who wish to exercise their rights:
This is not an ideal solution from your users' perspective, and it's actually probably not going to be the most efficient method from your perspective, either.
Even if you're looking at other solutions, you should still let people know that they can email you if they want to make a data subject rights request. This ensures you're covering all bases.
You may sometimes receive illegible, confusing or invalid requests. You can reduce the possibility of this by asking people to make their requests in a specific format. This could save you a lot of back-and-forth with your users, and it also makes things easier from their perspective.
Here's Danone's "catch-all" solution. After an individual fills in their identity and contact details, they are presented with this web form:
A form like this should help make sure you receive coherent, actionable data subject rights requests.
The ideal solution is to provide your users with account controls or a "privacy dashboard" that will allow them to access and modify personal data directly.
Facebook offers its use a range of account controls. Many of these correlate with the GDPR's data subject rights. Here's the "Your Facebook Information" screen in Facebook's settings:
These options allow users to directly exercise a number of their rights.
Choosing "Managing your information" leads to a series of other options, which satisfy other data subject rights:
For all of Facebook's controversies around privacy, this is a great example of how to hand personal data control to your users.
Bear in mind, however, that if you provide account controls to your users, you must still respond to requests from individuals who do not have an account with your company.
Let's take a look at some different considerations and approaches in respect of the individual data subject rights.
Right to Be Informed
However, if anything is missing from your public-facing privacy information, or if users want a greater level of detail about how you treat personal data, they can make a request under the right to be informed.
If you're a data controller, your obligations under the right to be informed are to:
- Make sure this information is made available to individuals at key points (e.g. when you collect personal data from them, and when you communicate with them using that personal data).
- If you have obtained personal data from another source, provide the data subjects with all relevant information within one month (unless it would involve a disproportionate effort to do so).
Data processors must offer all requisite information to their data controllers, and be rigorous in their record-keeping.
Fulfilling the Right to Be Informed
The Article 29 Working Party suggests taking a "layered approach" to providing individuals with privacy information. Consider all the different ways you can provide this information and how you can make it easy for individuals to access it.
Here's how Silktide does this:
And here's an example from Goal Click:
Here's how Goverlan does this:
Here's an example from Matomo:
Right of Access
The right of access requires you to provide users with a copy of any personal data you hold on them. This is probably the most commonly exercised of the data subject rights, and you should make sure it's a simple process for you and your users.
Failing to comply with a "subject access request" can lead to big problems for your company.
It's important to remember that the personal data amenable to subject access requests might not reside in neatly arranged databases.
The types of personal data you need to provide could include:
- Emails (including internal emails) that mention or could identify a person
- Log data
- Chat logs
- Phone records
- Access records (e.g. occasions on which a user logged into their account)
- Information associated with behavioral advertising
- Confirmation of whether or not you're processing a person's personal data
Here are some things to think about in respect of the right of access:
- Make sure you have data minimization locked down, so the amount of data you're required to provide users with is kept to a minimum.
- Conduct a data audit to ensure you know where customer data is "hiding."
- Consider using a Content Services Platform (CSP) if you keep voluminous records for each user. This can help you centralize access to all personal data associated with a given user.
- Ensure that everyone within your company can recognize a subject access request, and knows what to do when they receive one.
These considerations apply equally to data controllers and data processors.
Although data processors won't be providing personal data to a user directly, they must provide it to the data controller on demand.
Data processors must be aware that the controller has one month maximum to respond to the request, and this includes the time they spend communicating with the data processor. Flustering, delaying or providing incomplete records is an easily avoidable way for a data processor to lose clients.
Facilitating Requests for Access
Where you can provide personal data to a user up-front, make it easy for them to access it directly via account controls. This should reduce the number of actual subject access requests you receive. This is a common feature for websites and apps which allow users to create an account.
Account controls will generally allow access to personal data that the user provided your company in the first place. It might include:
- Account details
- Contact details
- Post or comment history
You could offer a menu of options within an account that offers options, such as the following:
Any of this information could constitute personal data, and there is no reason not to give the user direct access to it.
Providing something like "Access Tool" can help give extensive, instant access to personal data associated with an account. Here's some of the information a user could access:
Remember, though, that you still need a way to respond to subject access requests for non-account holders. Many organizations provide a subject access request form specifically for facilitating the right of access. This could be a secure web form, or a downloadable document that can be sent to you via email.
Here's an example:
Right to Rectification
The right to rectification allows individuals to request that any inaccurate data held on them is corrected. This is in accordance with the GDPR's principle of accuracy.
Allowing users to keep their personal data accurate and up-to-date works for everyone's benefit. It can even reduce the likelihood of a data breach occurring. For example, having mismatched contact details on file can cause personal data to be sent to the wrong person.
The right of rectification is important in ensuring confidentiality and minimizing unwanted contact.
Here are some things to think about in respect of the right to rectification:
- The more personal data you collect, the more likely you are to be storing inaccurate personal data. This is relevant to the principle of data minimization.
- The older the data is, the more likely it is to be inaccurate. People move house, get new email addresses, they could change their name, title, or gender identity. This is one of many reasons to ensure you comply with the principle of storage limitation.
- Depending on the context of your business, a Customer Relationship Management system can be particularly helpful in allowing your users to take ownership over their personal data.
You're responsible for communicating the changes to any third parties with whom you have shared the personal data. This is particularly important for data controllers working with data processors, but it could also apply to data processors working with subprocessors.
You don't have to change personal data if you are certain that the personal data is correct. You must justify your decision and let the individual know why you have come to this decision.
Facilitating Requests for Rectification
Again, your obligations under the right to rectification can be partly met by user account controls.
Let's look at an example from Pinterest. A simple "edit" icon is included as part of the main profile page:
Clicking on this icon directs users to an account overview, where they can change personal details associated with their account:
And here's how this looks in the Pinterest mobile app. First, the settings menu:
Then, the "Edit profile" screen itself after clicking:
Pinterest collects only very basic user information, but you can extend this principle as far as is appropriate for your users.
Right to Erasure
The right to erasure is also known as the "right to be forgotten." It ties in closely with the principle of storage limitation.
People have a right to request that you delete any personal data you are holding on them. But this is not an absolute right.
Rather than listing the exceptions to the right to erasure, it's actually easier to list the situations in which you will need to comply.
You must comply with this request if one of the following applies:
- You're relying on the person's consent to store this personal data, and the individual wishes to withdraw their consent.
- You're relying on legitimate interests to store this personal data, and the individual's interests in having the data deleted outweigh your interests in storing it.
- You're holding the personal data in connection with relation to direct marketing, and the individual has registered their objection to this.
- You collected or are using the personal data in an unlawful way.
- You don't need the personal data anymore for the purpose for which you collected it.
- The person has a legal right to have the personal data erased.
You must be especially willing to comply with requests from children (or their guardians), or in relation to personal data that was collected from an individual when they were a child.
The GDPR protects your right to freedom of speech. You don't always have to erase personal data in the public domain simply because a person doesn't like what you have written about them.
Here are some things to think about in respect of the right to erasure:
- You should make a habit of deleting data that is no longer necessary. This is relevant to the principle of storage limitation.
- If you're asked to erase personal data, you must also erase backups of that data.
- In your initial response to the individual, you must ensure that they understand the implications of their request (without trying to dissuade them).
- When complying with a request for erasure, it isn't normally enough to simply archive the personal data. Identifiers must be completely overwritten where possible.
- If you genuinely cannot delete personal data following an erasure request, for example because it would require you to delete an entire batch including other personal data, for you must do your best to put it beyond use. This may mean that you have to resort to a form of archiving.
Facilitating Requests for Erasure
If you allow users to create an account, you should make it as easy as possible for them to delete it.
It can be painful to lose customers in this way. But if people are not allowed to erase their personal data easily, they may become frustrated and suspicious.
This can be as simple as offering a link in a menu that lets the user delete the account:
If you're going to ask users to give a reason for deleting their account, then you must include an "other" or "rather not say" option. Individuals do not need to justify their decision to exercise their data subject rights.
You should explain briefly what will happen when the account is deleted. Adding an option to simply deactivate the account may help with customer retention:
Right to Restrict Processing
The right to restrict processing allows individuals to limit how you process their personal data. Restricted personal data can still be stored, but cannot be processed in any other way.
Personal data might also be "restricted" if a user has asked to exercise their right to erasure or rectification, and you're waiting for them to provide ID. This puts processing on pause.
Here are some things to consider in respect of the right to restrict processing:
- You need to have a way to distinguish personal data that has been restricted. You could have a separate, inactive system for storing restricted personal data.
- Develop a way to render restricted personal data inaccessible to users, and only accessible to certain staff in your company.
- You may need to temporarily take content down from your website. Consider the measures you can take to secure this data in the meantime.
The European Commission provides the following example of when a restriction of processing would be appropriate:
Facilitating Requests for Restriction of Processing
The right to restrict processing is somewhat obscure for most people's purposes. If you get requests for restriction of processing, these are likely to be part of a wider request involving other rights.
However, there are contexts in which you will want to provide an easy way for your users to exercise this right. It is possible to build this functionality into the front end of a website or app.
Right to Data Portability
The right to data portability allows individuals to take true ownership of their personal data. To comply with a request for data portability, you must offer the users a copy of their personal data in a well-organized, commonly used format, so they can transfer it to another data controller if they choose to do so. You should even try to carry out this transfer yourself if they ask you to.
The right to data portability is closely linked to the right of access, but there are key differences:
|Right of access||Right to data portability|
|Source of personal data||Can apply to personal data received from any source.||Only applies to personal data received directly from the user.|
|Type of personal data||All personal data.||Excludes paper files.|
|Format of personal data||No restrictions, except that the personal data must be provided in a "commonly used electronic form" when the request has been made by "electronic means" (e.g. via email or a web form).||Must be a "structured, commonly used and machine-readable format."|
|Legal bases||Applies by default under all legal bases.||Only applies where the personal data is being processed under consent or contract.|
Here are some things to consider in respect of the right to data portability:
- You need to include all personal data in your possession that you've collected directly from the individual in question. This might include their:
- Contact details
- Account search history
- Location data
- Previous contact details
- You should supply this personal data in an open file format such as CSV, XML, or JSON.
- If a user requests that you transfer their personal data to another data controller, you should try to find a way of doing this. However, if it's not possible, you can decline this part of their request.
Facilitating Requests for Data Portability
Some social networks have set up automated systems that make it easy for them to fulfill a request for data portability.
Let's take a look at Instagram's method. Users can navigate to a "Your activity" menu with an option to "Download your information:"
After a short delay while the file is prepared, Instagram emails the user with the relevant information.
Right to Object
The right to object gives individuals a high degree of control over the ways in which their personal data is processed. Individuals can request you to stop processing their personal data in a particular way.
Technically speaking, the right to object is used to object to processing carried out on the grounds of legitimate interests and public tasks. However, practically speaking, it's also helpful to consider the withdrawal of consent as an objection to processing.
If an individual originally consented for you to process their personal data in a particular way, they may also withdraw their consent at any time. The "right to withdraw consent" is, in this context, analogous to the "right to object."
The right to object is mostly about direct marketing. There are other contexts in which the right to object can be invoked, and it can be helpful to think about the right to object in any areas where you're relying on consent.
The right to object to receiving direct marketing is absolute. If you're directly marketing to an individual, regardless of your legal basis for doing so, you must stop if requested.
Here are things to consider in respect of the right to object:
- At the point that you collect a user's personal data, you must inform them about any rights to object or withdraw consent.
- You should make absolutely sure you do not send marketing material, in any format, to anyone who has withdrawn consent or, if you're relying on legitimate interests, opted out.
- The right to object applies to all non-essential cookies, even where they aren't being used for ads. If you're going to refuse an objection, and persist in placing cookies on a user's device, then you must be able to demonstrate an overriding legitimate interest
Data processors, such as email marketing companies, play an important role here. They must provide their data controllers with an efficient way to alert them about any users who have objected to receiving marketing.
Facilitating Requests Under the Right to Object
Where you're relying on legitimate interests, it can sometimes be tricky to offer users an up-front way to exercise their right to object. But there is one context in which this is very simple, and absolutely crucial. You must include an unsubscribe link in all marketing emails.
Here's an unsubscribe link in an email from Entrepreneurs HQ:
You could also provide unsubscribe options for non-essential "service" or "transactional" emails.
For example, you can offer different email notification options like so:
This isn't direct marketing, but it does involve the processing of personal data, and therefore might still be subject to a request under the right to object.
Rights Related to Automated Decision-Making and Profiling
Individuals have a right not to be subject to purely automated decision-making in certain circumstances. You should check Article 22 of the GDPR and guidance from the ICO to see if this applies to your company.
Exceptions to the Rights
We've looked at how you can serve the needs of your users in relation to their data rights.
As a data controller, the default position should be that you will be required to facilitate data subject rights requests. But there are many reasons why you might not have to comply with a data subject rights request.
Whenever you refuse to comply with a request, you must keep a record of your decision. You must also inform the individual in writing of the reasons for your decision, and let them know that they have the right to make a complaint with a Data Protection Authority, or go to court.
Manifestly Unfounded or Excessive Requests
The GDPR recognizes that some data subject rights requests might be unreasonable, or "manifestly unfounded or excessive."
This exception can apply in respect of the rights of access, erasure, rectification, restriction of processing, data portability, and, except in the context of direct marketing, the right to object.
The UK Bar Council (an organization that regulates UK lawyers) suggests that you might consider the following factors when deciding whether a request is "manifestly unfounded or excessive":
- The number of repeat requests that have been made
- The nature of the personal data requested
- The purpose for which you're processing the personal data
- The frequency with which the personal data changes (for example, if the data has not changed between repeated access requests, you may be justified in not providing a copy of the same personal data several times)
If you decide that a request is unreasonable, you can:
- Charge a reasonable fee
- Refuse to carry out the request
You might also be justified in exceeding the one-month deadline, if trying to comply with such a request.
You must be able to justify your decision to refuse or charge for a request.
If you're processing personal data on certain lawful bases, you may not be required to comply with certain data subject rights requests.
None of the rights are absolute on any legal basis, but here are some of the more straightforward exceptions, based on guidance from the ICO.
A tick indicates that you normally will need to comply, a cross indicates that you normally will not need to.
|Right to erasure||Right to data portability||Right to object|
|Consent||✔||✔||The data subject may withdraw their consent|
|Contract||✔||✔||Only applies in the context of direct marketing|
|Legitimate interests||✔||✗||Unless there remains an overriding legitimate interest for the processing|
These exceptions make sense in context. For example:
- If you're required to share someone's personal data with the police, the individual cannot stop you from doing this (legal obligation/right to object)
- If a tax authority holds a person's name and address, they can't be asked to delete them (public interest/right to erasure)
- If a company has logged someone's contact details and correspondence in connection with the prevention of fraud, it wouldn't be appropriate to provide the person with a copy of this data in a portable format so that it can be transferred to another data controller (legitimate interests/data portability)
There are certain situations where one or more of the data subject rights will simply not apply. For example, a suspected criminal under the investigation of the police cannot be granted access to their file.
EU countries have all implemented their own national data protection law, based on the GDPR. Each has slightly different exemptions. For example, the UK's Data Protection Act 2018 restricts the data subject rights in certain contexts related to immigration control.
The exemptions are unlikely to be relevant for your purposes as a developer, but you should get to know the relevant national laws just in case.
It's fine to request that a person provides you with some form of ID before you carry out their request. If they don't provide it, you might be justified in refusing the request.
You must be reasonable in your request for ID. Don't be obstructive.
If you have asked a person for ID, the one month deadline period begins once you've received it.
Key Takeaways from This Chapter
The data subject rights are one of the most important aspects of the GDPR. It's down to you to either facilitate (in the case of a data controller) or help facilitate (in the case of a data processor) these rights. There are serious consequences for companies who fail to do this.
- Be ready to comply. Make sure people in your company know what a data subject right request looks like.
- Make sure you are actually required to carry out a request before you do so.
- Provide functions within your website or app that allow a user (or data controller) to access their rights directly, so that they don't need to contact you with this request.
- Remember that you may have to facilitate rights for non-users, too.