What are your client’s rights?
Understanding the rights of data subjects is fundamental to GDPR compliance.
The General Data Protection Regulation (GDPR) gives data subjects (i.e. your clients) a range of new data protection rights and strengthened others. In this article, we explore these new rights and how you’ll need to uphold these.
Right to Erasure (also known as ‘Right to be Forgotten’)
The data subject has a right to have all their personal data removed where:
- It’s no longer necessary for the reason it was collected
- They’ve withdrawn consent, and there are no other legal grounds
- They’ve objected to the processing of their data and there are no other legal grounds
- It’s been handled unlawfully
- It has to be erased for legal reasons.
If you’re obliged to erase the data, you’ll need to take all reasonable steps to do so, including informing other controllers who use the data, of the request.
Individuals can make a request for erasure verbally or in writing and you have one month to respond to a request.
Right to data portability
The data subject has a right to receive information in a structured, commonly-used format, but only where:
- The data subject has actually provided information themselves, and
- It’s being used as a result of consent or required to perform a contract and the processing is automated.
Right to restrict processing
The data subject can tell the controller to restrict the processing of their data if:
- They’re challenging its accuracy
- The processing is unlawful
- The controller no longer needs it for purposes it was first intended, but still plans to exercise or defend a legal claim
- Where the legitimate grounds for holding it, hasn’t been verified.
When processing is restricted, you are permitted to store the personal data, but not use it. An individual can make a request for restriction verbally or in writing, and you have one calendar month to respond to a request.
Right of rectification
Data subjects have a right to have personal data corrected if it is inaccurate or incomplete. If you have passed this personal data to third parties, you must inform them of the rectification where possible. As part of this rectification, you’ll also need to inform the individuals about the third parties you’ve passed their personal data to.
An individual can make a request for rectification verbally or in writing, and you have one calendar month to respond to a request.
Rights in relation to automated decision making and profiling.
Article 22 of the regulations has additional rules to protect data subjects if you are carrying out solely automated decision-making that has legal or similarly significant effects on them. You can only carry out this type of decision-making where the decision is:
- Necessary for the entry into, or performance of, a contract; or
- Authorised by Union or Member State law applicable to the controller; or
- Based on the individual’s explicit consent.
Right to be informed
Data subjects will need to be informed about the collection and use of their personal data, at the point that it’s collected. This includes the purpose (s) for processing their personal data, how long you’ll hold it for and who you’ll share it with.
The ICO refer to the above information as ‘privacy information’ and should be contained in your Notices (read ‘Data Policy and Notices’).
If you obtain personal data from other sources, you must provide individuals with privacy information within a reasonable period of obtaining the data and no later than one month. There are a few circumstances when you do not need to provide people with privacy information, such as if an individual already has the information or if it would involve a disproportionate effort to provide it to them.
Strengthening Existing Rights
To use their personal data, controllers will need to gain consent from the data subject which is:
- Freely given
- Unambiguous (by way of a statement or clear affirmative action).
The GDPR sets a high standard for consent.
You can rely on this lawful basis if you need to process someone’s personal data: to fulfil your contractual obligations to them.
When gaining consent:
- Use clear and plain language
- Don’t assume – especially if it can’t be given for different processing operations or performance of a contract is conditional
- It must be given freely out of choice and may be refused or withdraw it without detriment. Note, pre-checked boxes can’t be considered as consent
- Confirm the identity of the data controller and the reason data is been collected
- Name any third party controllers who will rely on the consent
- Make it easy for people to withdraw consent and tell them how
- Keep evidence of consent – who, when, how, and what you told people
- Keep consent under review, and refresh it if anything changes
- Avoid making consent to processing a pre-condition of a service
- Remember, you often won’t need consent. If consent is difficult, look for a different lawful basis. Also, keep your consent requests separate from other terms and conditions.
Right to object
A data subject can object to the processing of their personal data based upon their specific situation where it’s based on legitimate interests or it’s necessary to perform a task.
If the data subject objects, the controller can’t continue to use this data unless it can demonstrate:
- It has legitimate grounds which overrides the interests and freedoms of the subject, or
- Needs to use this information to establish or defend a legal claim.
Right of access - Data Subject Access Requests (SARS)
The right of access allows individuals to be aware of and verify the lawfulness of the processing. Under the GDPR, individuals will have the right to obtain confirmation that their data is being processed, access to their personal data and other supplementary information – this is what’s normally covered in your Privacy Notice.
A controller will need to provide information supplied by the data subject free of charge, without any delay, but certainly within one month. If there’s a really complex case, or there are several pieces of data held for the data subject, this might be extended to two months, but the subject needs to be informed of this and the reasons.
You can find out more about the rights of data subjects under GDPR on the ICO website.