In this instalment of ‘Are you ready for GDPR’ we explore a number of the other rights provided to individuals under the GDPR. Rights include:
· The right to rectification
· The right to erasure
· The right to restrict processing
· The right to data portability; and
· The right to object
These rights are broadly similar in effect, but not identical, to those rights of data subjects contained within the current Data Protection regime
Right to Rectification
Covered by Article 16 of the regulations, and allows for the data subject to obtain from the data controller the rectification of inaccurate personal data. Incomplete personal data can also be completed.
The requirement, in common with all other rights, is for rectification to take place within one month, and save where such requests are manifestly unfounded or excessive, completed free of charge.
In the event of failure or refusal to rectify data subjects should be informed of their right to contact the Information Commissioners Office or seek judicial redress.
Right to Erasure (the right to be forgotten)
Such a right to erasure is absolute, and the regulations provide guidance upon the circumstances in which the right can be exercised and the exemptions to erasure (reg 17(3)(a)-(e)) that businesses can apply.
The regulations, subject to exemption, provide six circumstances in which a data subject has a right to erasure:
1. The personal data is no longer necessary for the purpose for which it was collected or otherwise processed.
2. Consent is withdrawn and there is no other legal basis for processing.
3. The data subject objects to the processing on the basis of their right to object and there are no overriding legitimate interest grounds.
4. The personal data has been unlawfully processed
5. The personal data has to be erased for compliance with a legal obligation to which the controller is subject
6. The data has been collected in relation to the offer of information society services to a child.
Right to restrict processing
The right to restrict processing is, in essence, the right of the data subject to block the processing of their personal data. The personal data currently held can be retained, but no further processing can take place.
Article 18 sets out the specific circumstances in which the right to restrict processing arises. These include:
· The accuracy of the data being contested by the data subject, so as to allow the data controller time to verify the accuracy of the personal data.
· The processing is unlawful and the data subject opposes the erasure and requests that it be restricted instead.
· The controller no longer needs the personal data for the purpose of processing but it is required by the data subject for the establishment, exercise or defence of legal claims.
· The data subject has objected to processing pending verification of the legitimate grounds of the controller override those of the data subject.
Right to data portability
The portability of data reflects the right of data subjects to receive personal data held by a data controller that has been provided by the data subject, in a structured, commonly used and machine-readable format.
It is designed to give data subjects greater control over personal data concerning them, create the free flow of information so that there is greater competition between data controllers and aims to facilitate switching from one service provider to another to provide wider choice.
This right extends to the transmission of data to another controller without hindrance, but only applies;
· To personal data concerning the data subject, and which they have provided to a Data Controller (Article 20(1)
· Where the processing is based on the individual's consent or for the performance of a contract; and
· Where processing is carried out by automated means.
There is no requirement to adopt or maintain processing systems that are technically compatible with other organisations, but as above, the information must be provided in a commonly used machine-readable format. The right of portability is designed to foster innovation in data uses and promote new business models linked to more data sharing under the data subject’s control.
The right to object
The right to object arises where Data Controller purports to process personal data for the purpose of their legitimate interests, the performance of a task in the public interest, direct marketing, or processing for the purpose of scientific/historical research and statistics.
In such circumstances where an objection is received the Data Controller shall no longer process the personal data unless it is able to demonstrate compelling legitimate grounds for the processing which override the interests right and freedoms of the data subject or the establishment, exercise or defence of legal claims.
If you are unsure as to your rights as an individual or obligations towards individuals under the GDPR then please contact Richard Burraston on 01293 596984 or by e-mail at Richard.burraston@stevensdrake.com or Paul Dungate on 01293 596981 or by e-mail at paul.dungate@stevensdrake.com.