GDPR (20) The data subject’s rights – rights concerning own data
In the previous instalment of this blog, we discussed the data subject’s right to be informed. Every data controller must provide transparent information about the type of data it keeps, the processing operations for which the data are used, and the purpose of those processing operations. In addition, every data subject has the right to access his or her own data.
However, the data subject’s rights (and therefore the obligations imposed on the controller) go much further than this. A data subject may also request that you rectify, supplement or even delete data that you keep on him or her. The data subject’s right to have data deleted is not absolute, and the possibilities for complying with this request must be weighed against other rights and legal obligations. Where there is a legal obligation to archive data for a specific period of time, the data obviously cannot be deleted at the request of a single individual. Sometimes data must be kept for a while in order that all contractual obligations can be fulfilled. Moreover, data controllers have to keep a limited amount of data so they can document their compliance with requests from data subjects for the deletion of data.
Needless to say, the right of rectification is also relative. Obviously, an evaluation report that is kept on file cannot be modified simply because an employee requests this. In such situations, employees can exercise their rights by adding comments instead. Rectifications or additions are to be expected – and can even be useful – when data are obtained through third parties, for example. Matters become much more difficult from a legal perspective, however, when it comes to the enrichment of data by the controller that could constitute the controller’s added value.
As a rule, any requests to modify or delete data are also applicable to all third parties to which the data were passed on (such as partners or subcontractors). The controller must guarantee that such third parties are also informed of such requests wherever possible. The well-known right to be forgotten has already been the subject of a number of high-profile legal proceedings relating to social media. Clearly, complying comprehensively with requests of this kind is not at all simple. Given this, contracts concluded between controllers and their subcontractors should specify that data is to be deleted immediately following processing.
A data subject may also request that the further processing of his or her data be stopped or suspended even though the data are retained. This approach may be appropriate in the event of an ongoing complaint that is awaiting a decision by the relevant authorities, for example because the data subject has contested the lawfulness of the processing operation. A request of this kind obviously cannot be complied with if the relevant processing operation is performed on the basis of a legal obligation or as part of the duties of government. As we discussed in a previous instalment of this blog, processing performed on the basis of consent provided by the data subject can be stopped at any time if the data subject withdraws this consent. In that case, the controller must also delete the data.
Finally, the data subject also has the right to data portability. This right was already included in the ePrivacy legislation, which imposes obligations on digital service providers. The underlying aim of this right was preventing customers who want to switch service provider from being ‘held hostage’ by their existing service provider owing to the fact they would lose all their data. After all, no one wants to lose all the photos, blogs and e-mails they store online. The same right has now also been included in the GDPR and is applicable to all personal data processing operations. In this much broader context, data portability is often not feasible in practice. Moreover, it leads to conflicts with other rights. For example, a controller that has performed complex operations on data (some of which may be based on algorithms that are the company’s intellectual property) will not want to reveal those results without good reason. The interpretation that is most commonly relied upon is therefore that the right to data portability is only really applicable in the case of data that the data subject made available to the processor in the first place.
Organisations are advised to establish a proper procedure for dealing with all of these requests.
- First, the contact point for any questions, as well as the responsible person within the organisation, must be made clear to the data subjects. This information can be included in a privacy statement, for example.
- Within the organisation, requests must be passed on quickly to the correct person for further processing, which means everyone needs to be aware of the procedure.
- There needs to be a clearly defined method for establishing whether the identity of the person making the request is the same as that of the data subject whose data is being requested. It is usually recommended that the organisation asks the person making the request to provide a photocopy of his or her identity card.
- There also need to be rules for determining not only which information can be supplied, but also, where applicable, which information cannot be provided, for example because it could include confidential data about other individuals or business secrets. The lines of reasoning that are to be followed must be documented. As part of this, the rights of everyone concerned must be dealt with in a balanced way, since the data subject’s rights are not absolute.
- A monitoring system has to ensure that all requests are dealt with promptly and that documentation concerning the progress made and decisions taken is kept.
Clearly, the exercising of these rights will lead to practical problems for data processors. In some circles there are also concerns that the law will be used by data privacy activists to target companies by bombarding them with mass organised requests. However, the GDPR does offer some protection against this by specifying that the requests must not be unfounded or excessive (for example because the requests are made repeatedly). Controllers are not required to comply with any requests that they can prove to be unfounded or excessive.
Despite the above, the fact that we, as individuals, will, at least to some degree, continue to be in control of the information that exists on us, and that companies and organisations will have a framework for handling personal data in a respectful, careful manner, is, of course, a development that is to be welcomed.
Viktor D’Huys is the ICT manager of Group Joos. He is responsible for matters including data security and the coordination of the GDPR project. He is a Certified Information Security Manager (CISM certified by the ISACA) and has been awarded the CIPP/E (Certified Information Privacy Professional/Europe) credential by the IAPP (International Association of Privacy Professionals).If you have any questions or comments, please write to us at firstname.lastname@example.org.