Module 3: Individual Rights

Introduction

The General Data Protection Regulations gives data subjects 8 rights in regard to their personal data. These rights are:

• The right to be informed

• The right of access

• The right to rectification

• The right to erasure

• The right to restrict processing

• The right to data portability

• The right to object

• Rights in relation to automated decision making and profiling

In this module we will look at these rights in detail.

The Right to be Informed

Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR.

When collecting personal data from individuals you must provide them with privacy information at the time of collection. If you obtain personal data from other sources, you must provide individuals with privacy information within a reasonable period of obtaining the data and no later than one month.

This privacy information must include: your purposes for processing their personal data, your retention periods for that personal data and also who it will be shared with. The information provided to data subjects must be concise, transparent, intelligible, easily accessible and must use clear and plain language. Your privacy information must be reviewed and updated regularly, any changes made to the privacy information should be made clear before the data is processed.

There are a few circumstances when you do not need to provide people with privacy information, such as if an individual already has the information or if it would involve a disproportionate effort to provide it to them. Getting the right to be informed correct can help you to comply with other aspects of the GDPR and build trust with people, but getting it wrong can leave you open to fines and lead to reputational damage

It is often most effective to provide privacy information to people using a combination of different techniques including layering, dashboards, and just-in-time notices. User testing is a good way to get feedback on how effective the delivery of your privacy information is.

What to Provide

You should provide individuals you are collecting data from with the following privacy information:

• The name and contact details of your organisation

• The name and contact details of your organisations representative (if applicable)

• The contact details of your data protection officer (if you have one)

• The purposes of the processing

• The lawful basis for the processing

• The legitimate interests for the processing (if applicable)

• The categories of personal data obtained (if the personal data is not obtained from the individual it relates to)

• The recipients or categories of recipients of the personal data

• The details of transfers of the personal data to any third-party countries or international organisations

• The retention periods for personal data

• The rights available to individuals in respect of the processing

• The right to withdraw consent

• The right to ledge a complaint with a supervisory authority

• The source of the personal data (if the personal data is not obtained from the individual it relates to)

• The details of whether individuals are under a statutory or contractual obligation to provide the personal data (if applicable, and if the personal data is collected from the individual it relates to)

• The details of the existence of automated decision-making, including profiling (if applicable)

When to provide privacy information

• Provide individuals with privacy information at the time you collect their personal data from them

• If you obtain personal data from a source other than the individual it relates to, we provide them with privacy information:

– Within a reasonable period of obtaining the personal data and no later than one month;

– If you plan to communicate with the individual, at the latest, when the first communication takes place; or

– If you plan to disclose the data to someone else, at the latest, then the data is disclosed

How to provide the information

Provide the information in a way that is:

• Concise

• Transparent

• Intelligible

• Easily accessible; and

• Uses clear and plain language

Changes to the privacy information

• You regularly review and, where necessary, update your privacy information.

• If you plan to use personal data for a new purpose, you update your privacy information and communicate the changes to individuals before starting any new processing.

Drafting the information

• You undertake the information audit to find out what personal data you hold and what you do with it.

• You put yourself in the position of the people you’re collecting information about.

• You carry out user testing to evaluate how effective your privacy information is.

Delivering the information

When providing your privacy information to individuals, use a combination of appropriate techniques, such as:

• A layered approach;

• Dashboards;

• Just- in time notices;

• Icons; and

• Mobile and smart devices functionalities

The Right of Access

Under the GDPR individuals have the right to access their personal data and supplementary information so that individuals can be aware of and verify the lawfulness of processing.

Individuals will have the right to obtain:

• Confirmation that their data is being processed;

• Access to their personal data; and

• Other supplementary information – this largely corresponds to the information that should be provided in a privacy notice.

You can charge a reasonable fee when a subject access request is excessive, repetitive or a copy of the information already provided; otherwise the information must be provided free of charge. The fee must be based on the administrative cost of providing the information.

Where requests are manifestly unfounded or excessive, because they are repetitive, you can:

• charge a reasonable fee considering the administrative costs of providing the information; or

• refuse to respond – Where you refuse to respond to a request, you must explain why to the individual, informing them of their right to complain to the supervisory authority and to a judicial remedy without undue delay and at the latest within one month.

You must verify the identity of the person making the request, using ‘reasonable means’. If the request is made electronically, you should provide the information in a commonly used electronic format. The GDPR includes a best practice recommendation that, where possible, organisations should be able to provide remote access to a secure self-service system which would provide the individual with direct access to his or her information. This will not be appropriate for all organisations, but there are some sectors where this may work well. The right to obtain a copy of information or to access personal data through a remotely accessed secure system should not adversely affect the rights and freedoms of others.

The Right to Rectification

The GDPR give individuals the right to have their personal data rectified if it is inaccurate or incomplete.

If you have disclosed the personal data in question to others, you must contact each recipient and inform them of the rectification – unless this proves impossible or involves disproportionate effort. If requested, you must also inform the individuals about these recipients.

Requests for rectification must be responded to within one month – if the request is complex, this time can be extended by two months, if the individual is advised of this. Where you are not taking action in response to a request for rectification, you must explain why to the individual, informing them of their right to complain to the supervisory authority and to a judicial remedy.

There are certain things you should have in place when it comes to Requests for rectification.

When preparing for requests for rectification:

• You know how to recognise a request for rectification and you understand when this right applies.

• You have a policy for how to record requests you receive verbally

• You understand when you can refuse a request and are aware of the information you need to provide to individuals when you do so.

Complying with GDPR regulations when dealing with requests for rectification:

• You have processes in place to ensure that you respond to a request for rectification without undue delay and within one month of receipt.

• You are aware of the circumstances when you can extend the time limit to respond to a request

• You have appropriate systems to rectify or complete information, or provide a supplementary statement

• You have procedures in place to inform any recipients if you rectify any data we have shared with them

The Right to Erasure

The right to erasure is also known as ‘the right to be forgotten’. This right enables an individual to request the deletion or removal of personal data where there is no compelling reason for it to continue being processed.

The right to erasure does not provide an absolute ‘right to be forgotten’

Individuals have a right to have personal data erased and to prevent processing in specific circumstances:

• Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed

• When the individual withdraws consent

• When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing

• The personal data was unlawfully processed

• The personal data has to be erased in order to comply with a legal obligation

• The personal data is processed in relation to the offer of information society services to a child

Under the GDPR, this right is not limited to processing that causes unwarranted and substantial damage or distress. However, if the processing does cause damage or distress, this is likely to make the case for erasure stronger.

You can refuse to comply with a request for erasure where the personal data is processed for the following reasons:

• to exercise the right of freedom of expression and information;

• to comply with a legal obligation for the performance of a public interest task or exercise of official authority.

• for public health purposes in the public interest;

• archiving purposes in the public interest, scientific research historical research or statistical purposes; or

• the exercise or defence of legal claims.

How does the right to erasure apply to children’s personal data?

There are extra requirements when the request for erasure relates to children’s personal data, reflecting the GDPR emphasis on the enhanced protection of such information, especially in online environments.

If you process the personal data of children, you should pay special attention to existing situations where a child has given consent to processing and they later request erasure of the data (regardless of age at the time of the request), especially on social networking sites and internet forums. This is because a child may not have been fully aware of the risks involved in the processing at the time of consent.

Do I have to tell other organisations about the erasure of personal data?

If you have disclosed the personal data in question to others, you must contact each recipient and inform them of the erasure of the personal data – unless this proves impossible or involves disproportionate effort. If asked to, you must also inform the individuals about these recipients.

The GDPR reinforces the right to erasure by clarifying that organisations in the online environment who make personal data public should inform other organisations who process the personal data to erase links to, copies or replication of the personal data in question.

While this might be challenging if you process personal information online, for example on social networks, forums or websites, you must endeavour to comply with these requirements. There may be instances where organisations that process the personal data may not be required to comply with this provision because an exemption applies.

There are certain things you should have in place when it comes to requests for erasure.

When preparing for requests to erasure:

• You know how to recognise a request for erasure and you understand when the right applies

• You have a policy for how to record requests you receive verbally

• You understand when you can refuse a request and are aware of the information you need to provide to individuals when you do so.

Complying with GDPR regulations when dealing with requests for erasure:

• You have processes in place to ensure that you respond to a request for erasure without undue delay and within one month of receipt

• You are aware of the circumstances when you can extend the time limit to respond to a request

• You understand that there is a particular emphasis on the right to erasure if the request relates to data collection from children

• You have procedures in place to inform any recipients if you erase any data you have shared with them

• You have appropriate methods in place to erase information

The Right to Restrict Processing

Individuals have the right to block or suppress processing of their personal data. When processing is restricted, you are permitted to store enough information about the individual to ensure that the restriction is respected in future, but not to process it further.

You will be required to restrict the processing of personal data in the following circumstances:

• When an individual contests the accuracy of the personal data, you should restrict the processing until you have verified the accuracy of the personal data.

• Where an individual has objected to the processing (where it was necessary for the performance of a public interest task or purpose of legitimate interests), and you are considering whether your organisation’s legitimate grounds override those of the individual.

• When processing is unlawful, and the individual opposes erasure and requests restriction instead.

• If you no longer need the personal data but the individual requires the data to establish, exercise or defend a legal claim.

Although this is distinct from the right to rectification and the right to object, there are close links between those rights and the right to restrict processing:

• if an individual has challenged the accuracy of their data and asked for you to rectify it (Article 16), they also have a right to request you restrict processing while you consider their rectification request; or

• if an individual exercises their right to object under Article 21(1), they also have a right to request you restrict processing while you consider their objection request.

Therefore, as a matter of good practice you should automatically restrict the processing whilst you are considering its accuracy or the legitimate grounds for processing the personal data in question.

You may need to review procedures to ensure you are able to determine where you may be required to restrict the processing of personal data.

If you have disclosed the personal data in question to others, you must contact each recipient and inform them of the restriction on the processing of the personal data – unless this proves impossible or involves disproportionate effort. If asked to, you must also inform the individuals about these recipients.

You must inform individuals when you decide to lift a restriction on processing.

You should use methods of restriction that are appropriate for the type of processing you are carrying out.

The GDPR suggests a number of different methods that could be used to restrict data, such as:

• temporarily moving the data to another processing system;

• making the data unavailable to users; or

• temporarily removing published data from a website.

It is particularly important that you consider how you store personal data that you no longer need to process but the individual has requested you restrict (effectively requesting that you do not erase the data).

There are certain things you should have in place when it comes to requests for restriction of processing.

• You know how to recognise a request for restriction and you understand the right applies

• You have a policy in place for how to record requests you receive verbally

• You understand when you can refuse a request and are aware of the information you need to provide to individuals when you do so

• You have processes in place to ensure that you respond to a request for restriction without undue delay and within one month of receipt

• You are aware of the circumstances when you can extend the time limit to respond to a request

• You have appropriate methods in place to restrict the processing of personal data on your system

• You have appropriate methods in place to indicate on your systems that further processing has been restricted

• You understand the circumstances when you can process personal data that have been restricted

• You have procedures in place to inform any recipients if you restrict any data you have shared with them

• You understand that you need to tell individuals before we lift a restriction on processing.

You must not process the restricted data in any way except to store it unless:

• you have the individual’s consent;

• it is for the establishment, exercise or defence of legal claims;

• it is for the protection of the rights of another person (natural or legal); or

• it is for reasons of important public interest.

Right to Data Portability

The right to Data Portability allows individuals to obtain and reuse their personal data for their own purposes across different services. It enables consumers to take advantage of applications and services which can use this data to find them a better deal or help them understand their spending habits. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.

Some organisations in the UK already offer data portability through the Midata and similar initiatives which allow individuals to view, access and use their personal consumption and transaction data in a way that is portable and safe.

The right to data portability only applies:

• To personal data an individual has supplied to a controller

• Where the processing is based on the individuals consent or for the performance of a contract; and

• When processing is carried out by automated means.

How do I comply?

You must provide the personal data in a structured, commonly used and machine-readable form. Open formats include CSV files. Machine readable means that the information is structured so that software can extract specific elements of the data. This enables other organisations to use the data.

The information must be provided free of charge.

If the individual requests it, you may be required to transmit the data directly to another organisation if this is technically feasible. However, you are not required to adopt or maintain processing systems that are technically compatible with other organisations.

If the personal data concerns more than one individual, you must consider whether providing the information would prejudice the rights of any other individual.

How long do I have to comply?

You must respond without undue delay, and within one month.

This can be extended by two months where the request is complex, or you receive a number of requests. You must inform the individual within one month of the receipt of the request and explain why the extension is necessary.

Where you are not taking action in response to a request, you must explain why to the individual, informing them of their right to complain to the supervisory authority and to a judicial remedy without undue delay and at the latest within one month.

The Right to Object

Individuals have the right to object to:

• processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);

• direct marketing (including profiling); and

• processing for purposes of scientific/historical research and statistics

• temporarily removing published data from a website.

Individuals must have an objection on “grounds relating to his or her particular situation”.

You must stop processing the personal data unless:

• you can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual; or

• the processing is for the establishment, exercise or defence of legal claims.

You must inform individuals of their right to object “at the point of first communication” and in your privacy notice. This must be “explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information”.

Individuals must have “grounds relating to his or her particular situation” in order to exercise their right to object to processing for research purposes.

If you are conducting research where the processing of personal data is necessary for the performance of a public interest task, you are not required to comply with an objection to the processing.

How do I comply with the right to object if my processing activities fall into any of the above categories and are carried out online?

• You must offer a way for individuals to object online.

Rights Related to Automated Decision-making including Profiling

The GDPR applies to all automated individual decision-making and profiling. It has provisions on automated individual decision-making (deciding solely by automated means without any human involvement); and profiling (automated processing of personal data to evaluate certain things about an individual). Profiling can be part of an automated decision-making process.

Article 22 of the GDPR has additional rules to protect individuals if you are carrying out solely automated decision-making that has legal or similarly significant effects on them.

You can only carry out this type of decision-making where the decision is:

• necessary for the entry into or performance of a contract; or

• authorised by Union or Member state law applicable to the controller; or

• based on the individual’s explicit consent.

You must identify whether any of your processing falls under Article 22 and, if so, make sure that you:

• give individuals information about the processing;

• introduce simple ways for them to request human intervention or challenge a decision;

• carry out regular checks to make sure that your systems are working as intended.

In the next slide we will look at what should be done to comply with the GDPR and what you should be doing as best practice.

All automated individual decision-making and profiling

To Comply with the GDPR:

• You have a lawful basis to carry out profiling and/or automated decision-making and document this in your data protection policy.

• You send individuals a link to your privacy statement when you have obtained their personal data indirectly.

• You explain how people can access details of the information you used to create their profile.

• You tell people who provide you with their personal data how they can object to profiling, including profiling for marketing purposes.

• You have procedures for customers to access the personal data input into the profiles, so they can review and edit for any accuracy issues.

• You have additional checks in place for our profiling/automated decision-making systems to protect any vulnerable groups (including children).

• You only collect the minimum amount of data needed and have a clear retention policy for the profiles we create.

As a Model of Best Practice:

• You carry out a DPIA to consider and address the risks before you start any new automated decision-making or profiling.

• You tell your customers about the profiling and automated decision making you carry out, what information you use to create the profiles and where you get this information from.

• You use anonymised data in your profiling activities.

Solely automated individual decision-making, including profiling with legal or similarly significant effects (Article 22)

To Comply with the GDPR

• You carry out a DPIA to identify the risks to individuals, show how you are going to deal with them and what measures you have in place to meet GDPR requirements.

• You carry out processing under Article 22.1 for contractual purposes and you can demonstrate why it is necessary.

OR

• You carry out processing under Article 22.1 because you have the individual’s explicit consent recorded. You can show when and how you obtained consent. You tell individuals how they can withdraw consent and have a simple way for them to do this.

OR

• You carry out processing under Article 22.1 because you are authorised or required to do so. This is the most appropriate way to achieve your aims

• You don’t use special category data in your automated decision-making systems unless you have a lawful basis to do so, and you can demonstrate what the basis is. You delete any special category data accidentally created.

• You explain that you use automated decision-making processes, including profiling. You explain what information you use, why you use it and what the effects might be.

• You have a simple way for people to ask us to reconsider an automated decision.

• You have identified staff in our organisation who are authorised to carry out reviews and change decisions.

• You regularly check your systems for accuracy and bias and feed any changes back into the design process.

As a Model of Best Practice:

• You have used visuals to explain what information you collect/use and why this is relevant to the process.

• You have signed up to a set of ethical principles to build trust with our customers. This is available on your website and on paper.