Rights of data subjects
Rights of data subjects
The GDPR aims to protect confidentiality and to safeguard the fundamental rights and freedoms of natural persons. Therefore, it provides means which allows data subjects to keep under control the processing activities concerning their personal data. In addition to the rights in force with the former legislation, there are new rights which are not so easy to deal with. Let’s see in detail each right.
Thanks to the right of access, data subjects have the right to know whether there is a processing activity concerning their personal data and to obtain information on:
1. purposes of the processing
2. categories of personal data
3. recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations
4. envisaged period for which the personal data will be stored, or, if not possible, criteria used to determine that period
5. right to rectification or erasure of personal data or restriction of processing of personal data or to object to data processing
6. right to lodge a complaint with a supervisory authority
7. where the personal data are not collected from the data subject, any available information as to their source
8. existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
The right to rectification gives the person the right to request from the controller that personal data which are inaccurate are rectified, «without undue delay», and, if the case, to provide additional information to complete data which are incomplete.
The right to erasure (right to be forgotten) can be exercised for different reasons. The person has the right to obtain the erasure of personal data «without undue delay» and the controller is obliged to erase personal data «without undue delay» if personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed. The erasure is due if the data subject withdraws consent on which the processing is based and there is no other legal basis for the processing. Such erasure applies where the data subject objects to the processing and there are no overriding legitimate grounds for the processing, or objects to data processing for marketing activities, also in case of profiling. Of course, the erasure applies where personal data have been unlawfully processed, as well as personal data have to be erased for compliance with a legal obligation in the European Union or Member State law to which the controller is subject. The right to erasure is also related to personal data which have been collected in relation to the offer of information society services directly to a child (16 years old as for the GDPR; 14 years old as for Italian legislation) on the basis of consent. Where personal data have been made public, the controller is obliged to erase them, and, if feasible, has to inform controllers which are processing such personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
Then, there is the right to restriction of processing. The person has the right to request from the controller that personal data are processed only for specific purposes. This right can be exercised where the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data.The right to restriction can be exercised where processing is unlawful and the data subject opposes the erasure of personal data and requests the restriction of their use instead. It applies where the controller no longer needs personal data for the purposes of their processing, but they are required by the data subject for the establishment, exercise or defence of legal claims. Last but not least, the data subject has objected to processing and is waiting for the verification whether the legitimate grounds of the controller override those of the data subject.
To comply with the right of notification obligation regarding rectification or erasure of personal data or restriction of processing, the controller shall communicate any rectification or erasure of personal data or restriction of processing requested by the data subject to each recipient to whom personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it.
In Italy the right to data portability was already in force in case of specific business activities of the controller. The GDPR extends this right regardless of the controller’s activity. The data subject shall have the right to receive the personal data provided to a controller, in a structured, commonly used and machine-readable format and the person shall have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided. This right can be exercised only if data processing is based on consent or on a contract and, at the same time, is carried out by electronic means. The person can request the transmission of data directly from one controller to another, where technically feasible and, of course, data transmission shall not adversely affect other persons’ rights. This means that other persons’ data shall be excluded from the transmission.
The right to object is widely known. The data subject shall have the right to object, at any time, to processing of personal data, including profiling. The controller shall no longer process such personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data for such marketing, which includes profiling to the extent that it is related to such direct marketing. The controller shall no longer process data for such purposes. The right to object shall be presented to the person clearly and separately from any other information, at the latest at the time of the first communication with the data subject.
Lastly, the GDPR sets out the right to object to an automated individual decision-making related to natural persons, including profiling. Data subjects have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning the person or similarly significantly affects the person. This right shall not apply if profiling is necessary for entering into, or performance of, a contract between the data subject and the controller or where is authorised by European Union or Member State law to which the controller is subject or where it is based on the data subject’s explicit consent. The person has the right to obtain human intervention on the part of the controller, to express a point of view and contest the decision.
How to deal with data subjects’ rights
The GDPR aims to protect data subjects’ fundamental rights and freedoms and shall grant that the person can easily control processing carried out on personal data. In this framework, the controller shall put in place adequate measures to facilitate the exercise of data subject’s rights and to provide any information requested by the person. Any communication shall be given in concise, transparent, intelligible and easily accessible form. Any information shall be provided in writing or by other means, also by electronic means. If the request is submitted by electronic means (e.g.: e-mail), any information shall be provided by electronic means, where feasible, unless the data subject has otherwise requested. Upon data subject’s request, information may be provided orally, provided that the person’s identity is proven by other means, unless the controller does not demonstrate that it is not in a position to identify the person. If the controller is not in a position to identify the data subject, it may request additional information necessary to confirm the identity.
Any information provided shall be free of charge and the requests can be submitted by any means.
The controller shall provide information requested and details on actions taken to the data subject «without undue delay» and in any event «within one month of receipt of the request». That period may be extended «up to three months where necessary», taking into account the complexity and number of the requests. In such case, the controller shall inform the person «within one month», explaining the reasons for the delay. Besides, if the controller does not take action on the request of the person, the controller shall inform the data subject, «without delay and at the latest within one month» of receipt of the request, on the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.
It is a good practice to implement a procedure to deal with data subjects’ rights, so that any question has exhaustive answer, if feasible, by expressing the answers following the list of the questions, so as to avoid that requested information is omitted. At the same time, the filing system needs to be implemented with procedures which allow recording the requests and actions taken.
Right to lodge a complaint with a supervisory authority and effective judicial remedy against a supervisory authority
The person who considers that data processing infringes the GDPR shall have the right to lodge a complaint with a supervisory authority: in particular, in the Member State where the person lives or works or where the alleged infringement of the GDPR has taken place. This means that not necessarily the data subject living in Italy has to lodge the complaint with the Italian supervisory authority; for instance, if the data subject considers that the infringement has taken place in France, the person can lodge the complaint with the French supervisory authority. This procedure complies with the principle of cooperation among the supervisory authorities of the Member States which is highly stressed by the GDPR. The Italian supervisory authority has released a template to lodge a complaint: it can be downloaded at the URL https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/4535524&zx=e0yn0riezmmw and sent to protocollo@pec.gpdp.it.
The supervisory authority shall inform the complainant on the progress and the outcome of the complaint «within three months» including the possibility of a judicial remedy. In fact, any natural or legal person has the right to an effective legal judicial remedy against a binding decision of the supervisory authority.
As an alternative to the complaint lodged with the supervisory authority, the person may exercise the right to an effective judicial remedy against the controller or the processor, where the person considers that data processing infringes rights.
Right to compensation
It is remarkable that the data subject who has suffered material or non-material damage as a result of an infringement of the GDPR has the right to receive compensation from the controller or the processor for the damage suffered. Each controller involved in data processing shall be liable for the damage directly caused by processing which infringes the GDPR. A processor shall be liable for the damage caused by processing only where it has not complied with the provisions of the GDPR specifically directed to processors or where it has acted outside or contrary to the lawful instructions received from the controller. The controller or the processor shall be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage: this point is very relevant, as it calls for the need – and the obligation – to comply with the accountability principle which requires to meet all the principles relating to processing and to demonstrate to adhere to those principles by putting in place appropriate documented procedures and processes. This makes surely easier to produce documents useful to deal with data subjects’ complaints and, most of all, to cooperate with the supervisory authorities in case of their investigations and controls.
The controller or the processor shall be held liable for the entire damage, in order to ensure effective compensation of the data subject.
Court proceedings for exercising the right to receive compensation shall be brought before the courts competent under the law of the Member State where the controller or the processor has an establishment or where the data subject lives.
To learn more, click here, read FAQs or contact me.
Leave a Reply