GDPR Principles & Rights
What rights do persons have under the GDPR?
The persons whose data is being processed remain in control of their own personal data. Therefore, you must:
-
Inform them if you process their data, what data you process, on what legal bases you process their data, etc
-
and, upon their request:
-
correct their data
-
entirely or partly stop using their data
-
delete their data and “forget” them
-
provide them with a machine-readable copy of their data, to allow them to use it with another service provider (a competitor of yours)
-
stop using their data for marketing purposes or automated decision-making, including profiling
-
The GDPR grants several rights to individuals in order to empower them to exercise more control over the processing of their personal data, including allowing them to understand how and why their data is being processed.
These requests can be submitted to you both orally and in writing.
​
Right to be informed
Individuals must be informed about the collection and use of their personal data. This information should be communicated at the following moments:
-
At the time you collect their personal data from them.
-
If you obtained the personal from someone else, at the latest one month after obtaining the data.
This information should mainly be provided via your privacy policy (see below).
Essentially, you must inform individuals about the following:
-
Why, how and for how long you will process their personal data?
-
With whom do you share the data?
-
What are their rights?
-
How will you protect their data?
The information must be easily accessible and written in clear and simple language. To assess whether these conditions are fulfilled, you should consider your target audience.
Time for action!
​
-
Draft a general privacy policy, addressed to customers, business partners, suppliers, third parties, job candidates, etc.
-
Upload the privacy policy on your website
-
Review your forms (online and offline)
-
Review your emails
-
Make sure to take these aspects into account when setting up new forms and mailings
-
Make sure to update your privacy policy when your processing activities change and, in any case, verify it once a year
Right of access
​
Any individual has the right to know if you are processing his or her personal data, to obtain information about that processing and to obtain a copy of the data concerned.
You must be able to grant requests of individuals to access their data.
​
When you process personal data of an individual in the capacity of a controller, you must provide that individual with the following information:
-
That you are processing his or her data
-
A copy of the data
-
Additional information
Right to request rectification
​
Individuals whose personal data you process are entitled to have their personal data corrected if it is inaccurate.
​
Personal data of individuals may be erroneous or outdated.
Besides your own obligation as a business to keep the personal data accurate (your “accuracy” obligation), the individuals whose data you process, are entitled to demand that you correct their personal data.
The rectification of inaccurate personal data concerning an individual, must be done without undue delay upon the individual’s request.
Depending on the purposes of the processing, the individual also has the right to have incomplete personal data completed.
​Time for Action!
​
-
Ensure you are able to recognise a request for erasure and understand when the right applies
-
Decide how to record requests you receive verbally and ensure that your personnel is aware of this method
-
Ensure that you and your personnel are aware of the information you need to provide to individuals and when you can refuse a request
-
Have processes in place to ensure that you can respond to a request for erasure without undue delay and within one month of receipt.
-
Be aware of the circumstances when you can extend the time limit to respond to a request.
-
Understand that there is a particular emphasis on the right to erasure if the request relates to data collected from children.
-
Have procedures in place to inform any recipients if you erase any data you have shared with them.
-
Have appropriate methods in place to erase information.
Right to request erasure or deletion of data – the right to be forgotten
​
Under some circumstances individuals whose personal data you process, have the right to have their personal data erased or deleted.
Right to impose a restriction on processing
​
Under certain circumstances, individuals whose personal data you process, have the right to ask you to stop using their personal data, without deleting it.
Right to data portability
​
Customers and individuals whose personal data you process in an automated way, based on their consent or an agreement with them, are allowed to obtain a structured digital copy of the data they provided to you, to allow them to provide this data to another service provider (competitor) and have the third party use the data to provide its services or products.
Right to object to the processing
In general, individuals have the right to object against the processing of their personal data, when you are doing so based on legitimate interest or public interest or for the purpose of direct marketing. You must inform individuals whose data you process of this right.
​
-
Right not to be subject to automated individual-decision making (including profiling)
Individuals are entitled to demand that decisions that affect them, are made (at least in the end) by humans.
​​
-
How to respond?
-
Response time
-
Within one month from receipt of the request of an individual you must:
-
either comply with the request
-
either inform the individual that the period is extended
-
either inform the individual that his/her request is refused
-
-
Example:
A company mistakenly sends marketing communication to an individual who happens to be part of the company’s customer database. Upon receiving this marketing communication, the individual reaches out to the company, requesting more information on how his data had been obtained, what type of personal data the company holds on him and the legal basis relied upon by the defendant to process his data. The company ignores this request and continues to send marketing communications. This is not in line with the GDPR. If the company does not respond to the request within a period of 1 month, it can be fined by the competent national data protection authority.
2. Extension of the period​
3. The one-month period may be extended by two additional months, if such extension is justified by the complexity and number of requests.
2. Refusing a request
If a request is unjustified, you must inform the individual that you will not comply with it, providing the reasons for not taking action and informing the individual that he/she is entitled lodge a complaint with the supervisory authority and seek judicial redress
3. Costs? Can you charge for satisfying the individual’s request?
Communications with an individual and actions taken regarding the individual’s rights shall be free of charge.
If an individual submits manifestly unfounded or excessive requests (for example repeated requests) you can either charge a reasonable fee or refuse to act on a request. It will be up to you to be able to prove that a request was manifestly unfounded or excessive.
4. How to provide the requested information to an individual?
If the request is send to you by electronic means, you should provide the answer and the requested information by electronic means where possible, except if the data subject requests otherwise.
Example:
​
A company stores certain personal data in coded form, intelligible for those who do not have the key. Upon receiving an access request from an individual concerned, the company provides that individual with the coded information, without any further explanation. This practice is not GDPR compliant! Information needs to be provided in a manner that is understandable by an average person.
5. Keep in mind that the above described rights of individuals under the GDPR are not absolute. Some rights can only be exercised if particular conditions are met or under specific restrictions.
Time for action!
​
Put in place appropriate procedures to respond to requests of data subjects. The following factors should be considered: contact person for data protection requests, clear internal allocation of responsibilities, standard letters for refusal to act/extension.
Work closely with IT. It is important that your IT systems ensure compliance with the data subjects' rights (including the possibility to erase data).