Answer ... The rights of data subjects are set out in Section III of the General Data Protection Regulation (GDPR).
Data subjects have a broad range of rights in relation to the processing of their personal data, including the following.
Right to information: Article 12 of the GDPR requires data controllers to take measures to “provide information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form”.
See question 5.3 for information required when notifying data subjects where their personal data is being processed.
Right to access personal data: Article 15 sets out the right for data subjects to obtain confirmation from the controller as to whether personal data concerning them is being processed and, if so, then also to provide access to the personal data. The data subject may also obtain information similar to that set out at question 5.3 in relation to notification of processing requirements.
Copies of such personal data must be provided to the data subject free of charge.
Article 12(5) of the GDPR provides that a controller may refuse a request or charge a reasonable fee where requests are unfounded or excessive.
Right of rectification: Data subjects can request that controllers rectify inaccurate personal data concerning them pursuant to Article 16 of the GDPR. Article 5(1)(d) of the GDPR emphasises the need for personal data to be accurate, kept up to date and, when inaccurate, either erased or corrected without delay.
Right of erasure: The right to erasure is also known as the right to be forgotten and is set out in Article 17 of the GDPR. Controllers are obliged, when requested by the data subject, to erase personal information where:
- the personal data is no longer necessary in relation to the purposes for which it was collected;
- the data subject withdraws consent to the processing (and there is no other legal ground for the processing);
- the data subject objects to the processing in accordance with Article 21(1) of the GDPR and there are overriding legitimate grounds for the processing, or the objection is pursuant to Article 21(2);
- the personal data has been unlawfully processed;
- there is a legal obligation in EU or member state law (to which the controller is subject) requiring the erasure of information; or
- the personal data has been collected in relation to the offer of information society services referred to in Article 8(1).
The exceptions to the right to erasure include where processing is necessary:
- to exercise the right of freedom of expression and information;
- to comply with a legal obligation;
- for reasons of public interest in the area of public health;
- for the purposes of archiving in the public interest, scientific, historical or statistical research purposes; or
- for the establishment, exercise or defence of a legal claim.
Right to restrict data processing: Article 18 of the GDPR sets out the right to obtain a restriction in the processing of personal data where:
- the accuracy of the personal data is contested by the data subject;
- the processing is unlawful and the data subject opposes the erasure of the personal data and requests restriction instead;
- the controller no longer needs the personal data for processing, but it is required by the data subject in relation to the establishment, exercise or defence of legal claims; or
- the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject
Controllers must inform data subjects who have obtained a restriction in relation to the processing before these restrictions can be lifted.
Right to object to data processing: Data subjects have the right to object to the processing of their data pursuant to Article 21 of the GDPR.
A controller must stop processing data for direct marketing purposes when a data subject objects to such processing. A data subject can also object to processing carried out on the grounds of scientific, historical research or statistical purposes, unless the processing is necessary for the performance of tasks carried out in the public interest.
Whenever there is an objection to the processing, controllers must cease such processing, unless the controller demonstrates a compelling legitimate ground which overrides the interests of the data subject, or where the processing is required to establish, exercise or defend legal claims.
Right to data portability: The right to data portability allows a data subject to receive his or her personal data in a structured, commonly used and machine-readable format, and to transmit that data to another controller. This right is available where the processing is based on consent or a contract, or where the processing is carried out by automated means.
Right not to be subject to automated decision making: Article 22 of the GDPR provides data subjects with the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. This right will not apply where the automated decision is necessary for contractual reasons (ie, where there is a contract between the data subject and the controller), is based on explicit consent or is authorised by EU or member state law.
Right to be notified of a data security breach: Article 34 of the GDPR obliges controllers to communicate personal data breaches to data subjects without any undue delay where the breach is likely to result in a high risk to the rights and freedoms of natural persons.