GDPR (19) The data subject’s rights – the right to be informed
In previous instalments of this blog we mainly discussed the obligations which the GDPR imposes on companies and organisations that process personal data. We considered the legislation primarily from the perspective of the controllers and the processors of personal data. It is now time to shift our focus to the individual data subjects.
One of the main aims of the GDPR is to specify your rights as an individual with respect to the vast amount of circulating data that concerns you and is used by others. As a data subject, you can keep a grip on this information, although your rights are not absolute, as we will see.
One of the most important concepts in the GDPR is transparency. Every processor of personal data must endeavour to be open with the persons to whom the data relate. It must be easy for data subjects to find out which data are kept and processed by the processor, what the processor does with the data, and why these processing operations are necessary. The processor must be able to explain this in clear and plain language. Instalments 11 and 12 of this blog contain a detailed consideration of how companies and organisations can supply this information in the form of a privacy statement on their websites, for example.
The processor needs ensure that you, as a data subject, are properly informed in advance of its intentions, the possible consequences and the risks to which you are exposed, particularly if it requests data that it intends to keep and use. It must explain how the benefits of this outweigh the drawbacks for you too.
Moreover, the controller must state what you can do if you have a question or complaint. You must be provided with a direct point of contact within the organisation. In addition, the processor has to inform you that you can lodge a complaint about a processing operation with the data processing authority (in Belgium this is the Privacy Commission). Obviously, if you lodge a complaint you need to have a valid reason for doing so.
Besides the right to general information, as a data subject you also have specific rights when it comes to your own personal data. Anyone may contact a controller to access the personal data that the company or organisation keeps on them and to obtain information about the processing operations for which the data are used. Such ‘simple’ requests can create a great deal of work for the company or organisation. Being able to respond accurately to such requests means being thoroughly prepared and following a clear procedure, not least because under the GDPR the data subjects are entitled to receive a response within one month. The controller must either supply the requested information by that deadline or provide a plausible explanation for why it needs more time.
There are several major stumbling blocks that have to be overcome in order to fulfil this obligation. First, the controller must know where the information can be found. This is not a problem when it comes to files with contact details in a CRM application or personnel data stored in an administrative system. Unfortunately, a great deal of information is stored as unstructured data in paper files, in digital files that are not covered by the document management system, or at a local level by individual employees. Gathering such data is much more difficult. Furthermore, the GDPR explicitly states that this service must be free of charge, except in cases where the requests received are manifestly unfounded or excessive.
That being said, this right of access conflicts with other rights and interests. When providing information to a data subject, the controller must ensure, for instance, that it does not violate the rights of other data subjects. For example, it will be virtually impossible for a company or organisation to agree immediately to an individual’s request for access to all documents and e-mails in which he or she is mentioned. This is because such documents include information about other data subjects, whose privacy must also be protected. Some sources of information also contain other confidential data, which could damage the company’s interests if disclosed. In all such situations, it will be necessary to weigh up the different rights and reach a balanced viewpoint. The outcome may be that a data subject’s request cannot be complied with. In that case, the data subject must be informed of the reason.
Besides the right to be informed, data subjects have many other rights under the GDPR. These will be discussed in the next instalment of this blog.
Viktor D’Huys is the ICT manager of Group Joos. He is responsible for matters including data security and the coordination of the GDPR project. He is a Certified Information Security Manager (CISM certified by the ISACA) and has been awarded the CIPP/E (Certified Information Privacy Professional/Europe) credential by the IAPP (International Association of Privacy Professionals).
If you have any questions or comments, please write to us at firstname.lastname@example.org.