13 February 2018

Data Subject Rights

The introduction of the GDPR (General Data Protection Regulation) individuals, or data subjects, will gain ways to stand up for themselves in case there personal data is being processed. Existing privacy rights will be extended and new rights will come into force, as stated by the Data Processing Authority (DPA). Are you ready for those who want to assert their rights?

The Data Processing Authority has compiled a list with the GDPR privacy rights:

Right to data portability

This refers to the transferability of personal data. It means that persons have the right to receive the personal data concerning them, which has been provided to an organisation. This allows data to be easily transferred to another supplier of similar services, for example when you transfer to a different mortgage lender.

This only concerns digital data; paper files are not included. It also includes personal data an organisation processes with the permission of the data subject, and applies to organisations that have an agreement with the data subject.

The European data protection authorities have published Guidelines that give further explanations on data portability.

English: https://autoriteitpersoonsgegevens.nl/sites/default/files/atoms/files/wp242_rev01_enpdf.pdf

Dutch: https://autoriteitpersoonsgegevens.nl/sites/default/files/atoms/files/nederlandse_vertaling_guidelines_dataportabiliteit.pdf

Right to erasure

This is the right to be ‘forgotten’. The right to erasure always applies, however is cannot always be successfully called on. Only in the following situations the right to erasure can practically be applied:

  • No longer required

The personal data are no longer necessary for your organisation in relation to the purposes for which you collected or otherwise processed them.

  • Withdrawal of consent

The data subject has previously given their clear consent for the processing of their personal data. Then this consent is withdrawn, the right to erasure applies.

  • Objection

When someone, being a data subject, objects to the processing, the right to erasure applies. However, such an objection does not always have to be honoured. The interests of both the organisation and the data subject have to be taken into account.

  • Unlawful processing

This applies when your organisation unlawfully processes personal data, for example when there is no legal ground for the processing.

  • Legally determined retention period

As an organisation your are legally bound to erase personal data after a specified time period. There are thousands of different retention periods. Municipalities have different retention periods from greengrocers, for instance.

  • Children

When the data subject is younger than 16 years and the personal data have been collected via an app or a website, then the right to erasure applies.

Right of access

Clients and partners whose personal data you process, have the right to ask exactly which data related to them your organisation processes. A data subject is also allowed to ask access to these data.

When access is applied for, there are certain things you have to clarify, such as why you process certain data, what types of personal data you collect and over what period of time you store the data. The processing register, that has to be set up by certain persons and employees responsible, contains all the required information.

Right to rectification and completion

This gives people the right to have incorrect data changed, or to have personal data completed.

As an organisation your are responsible that the personal data are correctly processed. Data also have to be updated when this is necessary

Right to restricted processing

This gives people the right to have less data processed. The right to restrict data processing applies in situations that meet one of the following criteria:

  • Data are possibly incorrect;
  • The processing is not lawful;
  • Data are no longer needed;
  • The data subject objects to the processing of his or her personal data.

Right to not be evaluated on the basis of automated processing

The right to a human approach when decisions have to be made concerning an individual. Some organisations take decisions based on automated processes.

An example could be an automatic decision about applications that come in through the internet, without any human interference. When someone asserts this particular right, it means you have to reconsider your decision, for which an actual person has to go over the data.

Right to object to the processing of personal data

The people, or data subjects, of whom you process personal data, have the right to object to this processing of their data.

When someone objects to the processing of his or her personal data, you have to stop the processing, unless the interests, rights and freedoms of you as an organisation outweigh those of the data subject. This could be the case when it is impossible to practically remove all personal data.

Do you have any questions about a records of processing activities? Or about the GDPR? Please contact us.

White Paper GDPR – Prepare for the road to compliancy

White Paper GDPRStarting May 25 2018 any business in the European Economic Area (EEA) that processes personal data has to comply with the GDPR. This regulation replaces existing national legislation. The GDPR states requirements that have to be met when processing personal data. With the new regulation, the EU wants to return to her citizens the control of their personal data. There are strict conditions and the GDPR is obligatory. Violations will be heavily penalised, with the risk of high fines of up to €20,000,000 or 4% of your annual turnover! Plenty of reasons to take this seriously.

Download White Paper GDPR