DMA Europa

GDPR Part 3 – Citizens and their data: What do I have to do for my data subjects?


Direct email campaigns image

The EU General Data Protection Regulation (GDPR) is all about limiting the use of personal data. This is all underpinned by a general theme that personal data is just that: “personal”. Therefore, we are all warranted certain protection and rights over its use as it belongs to us.

Openness and transparency are key principles in the GDPR and we’ve already mentioned the importance of recording decisions, uses of personal data and communicating this openly in part 2. Beyond this though, the individual’s interests are protected further in 8 key rights that they have from the GDPR.

What are the key rights?

Many of these rights already existed in some form or another, such as in national law. However, with the introduction of GDPR these rights will now be implemented at an EU level and, as discussed in part 1, will apply for every EU national regardless of where their data is stored.

These GDPR rights are:

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Rights in relation to automated decision making and profiling.

The right to be informed

The right to be informed is the embodiment of being open and transparent. Normally this sort of information will be given in a privacy notice and should be concise and in simple language. The notice should be easy to find, communicated as early as possible and when changed and free of charge.

The information that you need to provide will vary depending on whether you obtained the data directly from the source or whether you obtained it from a 3rd party (e.g. data purchasing), but includes things like:

  • Your address, identity and contact details
  • Purpose of processing and lawful basis
  • The data subjects rights

For a full list of information that needs to be provided and when it needs to be provided see here.

The right to access

An individual being able to access their own data is an important part of the GDPR considering it “personal”. An individual can request:

  • confirmation whether their data is being processed
  • what personal data you hold
  • other supplementary information (mainly that of what is in a privacy notice)

When they make such a request you must ordinarily provide them with the information free of charge (unless their requests are excessive) and as soon as possible, normally within 1 month

The right to rectification

Rectifying your own personal data is another right of an individual. If they discover that some data you have is incorrect or incomplete they can ask you to correct it and you must ordinarily comply within one month. Additionally, if you have passed on their personal data you must take reasonable efforts to have these 3rd parties correct it.

The right to erasure

Formally known as ‘the right to be forgotten’, this right allows an individual to request that you delete their data when:

  • the personal data is not necessary for its original purpose
  • when consent is withdrawn
  • when there is no overriding legitimate interest
  • when the data was unlawfully processed
  • when necessary to comply to law

They do not need to show that their personal data being processed is causing them any harm so even if you lose a lot and they gain nothing you still must comply if they meet one of these requirements. Like the right to rectification, you must take reasonable efforts to contact 3rd parties about the erasure.

The right to restrict processing

Similar to the right to erasure, an individual can request you to stop processing their data. This does not mean you must delete their data, but you can only keep the data in order to store details of the restriction. The restriction is mostly a temporary measure for when an individual is exercising another right, such as the right to rectification, while performing checks to see if the individual meets the requirements to exercise that right. Again, you should take reasonable steps to notify a 3rd party user of the data.

The right to data portability

This right really brings the point back that someone owns their own personal data. It allows them to reuse their data by obtaining it from you in an easily usable, safe format and pass on to another service provider. However, it only applies if all 3 of the below are met:

  • The personal data was provided by the individual
  • When the legal basis is consent or contract
  • When processing is automated

The right to object

The right to object is similar to the right to restrict processing except it has a more permanent measure. It mostly applies when the processing is done under the legitimate interest legal basis and is a chance for an individual to raise their interests as part of the balancing exercise.

For most reasons the individual must have “grounds relating to his or her particular situation” which you must balance with your processing. The exception to this is processing related to direct marketing in which you must always comply with the objection (that’s what the “unsubscribe” option is on an email)

Rights in relation to automated decision making and profiling

When you process data in a solely automated way that results in decision making or profiling, the GDPR offers special protection and rights. You can only do this sort of processing if under the legal basis of contract or consent and if you do must:

  • Provide clear information about the process
  • Allow individuals to request human intervention or challenge a decision/profile
  • Regularly check that the systems work correctly

So what do I need to do?

Just like in part 2, the next steps are entirely circumstantial. You need to implement processes and systems that allow you to fulfil these rights and requests quickly if they ever come up. This is likely to involve keeping records up to date and well in order so that you can easily communicate every bit of data you have on one person, how it’s used and, if necessary, update or delete it.

Nothing on this site constitutes legal advice. Any person who intends to rely upon or use the information contained herein in any way is solely responsible for independently verifying the information and obtaining independent expert advice if required.

The contents of this site are for general information purposes only. Whilst we endeavour to ensure that the information on this site is correct, no warranty, express or implied, is given as to its accuracy and we do not accept any liability for error or omission.

For more information you can read the regulation here or visit the website of the Information Commissioner’s Office. Specialist legal advice should be taken in relation to specific circumstances

Published April 3, 2018