EU data protection law provides individuals (“data subjects”) with a wide array of rights which can be enforced against Organisations that process personal data, also referred to as “Data Controllers” and/or “Data Processors”. Although such rights may limit the ability of Organisations to lawfully process the personal data, in certain cases, they could have a huge impact upon the Organisation’s business model.
Therefore, while the key objective of the General Data Protection Regulation (EU) 2016/679 (“the GDPR” or “the Regulation”) is to protect and strengthen the rights of data subjects, their expansion is likely to be accompanied by stricter enforcement.[1]
Right to Rectification[2]
Taking into account the purposes of the processing, data subjects have the right to obtain from the Data Controller, without undue delay, the rectification of inaccurate personal data and/or to have incomplete personal data completed including by means of providing a supplementary statement.[3]
Rectification & Third-Party Data
If the Data Controller discloses the personal data to which the request relates to a third party/recipient, then he should, if it is practicable to do so, that is, unless this proves impossible or involves disproportionate effort, contact each third party/recipient and inform them of the rectification or completion of the personal data.
Moreover, if so requested, the Data Controller shall also inform the data subject about such third parties/recipients.
Once the data has been corrected and/or completed, the Data Controller shall supply such third party/recipient with a copy of the corrected and/or completed personal data and a written notice of the reasons for the correction and/or completion.
When the Right to Rectification does not apply
Note that the Right to Rectification is not absolute. The Data Controller may be exempt from actioning such request depending on the circumstance. If challenged, Organisations must be prepared to defend to the Supervisory Authority or a court the decision to apply an exemption.
Some of these exemptions include if:
- it is not satisfied that the personal data is inaccurate;
- it is not provided with sufficient information to ascertain that the personal data is inaccurate;
- it is not satisfied that the correction provided in the request is accurate;
- it considers the request as manifestly unfounded or excessive, taking into account whether the request is repetitive in nature;
- another Data Controller, not the one receiving the request, is controlling the use of the personal data concerned;
- personal data records a mistake which was later resolved, since the record of the mistake is in itself accurate – a representation of the true unfolding of events.
- the information recorded is an opinion; and
- the information is a fact.
Right to Erasure[4]
Also known as the Right to be Forgotten, it has attracted a lot of attention, but is often poorly understood. In essence it allows data subjects to obtain, without undue delay, from the Data Controller and Processors the deletion of their personal data.
However, does this mean the deletion of ALL personal data?
Data Controllers are only obliged to erase the personal data where one of the following grounds apply:
- the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed;
- the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing;
- the data subject objects to the processing of their data and there is no overriding legitimate grounds to continue processing or the data subject objects to the processing of their data for direct marketing purposes;
- the personal data has been unlawfully processed;
- the personal data has to be erased for compliance with a legal obligation in Union or Member State law to which the Data Controller is subject; and
- the personal data have been collected in relation to the offer of information society services.[5]
What happens if the personal data has been publicised?
To strengthen this right in the online environment, where a data subject requests the deletion of personal data that has been made public, the Data Controller must, unless this is impossible or involves disproportionate effort[6], take reasonable steps to communicate the data subject’s objection to other recipients to whom the personal data has been disclosed, to erase any links to or copies or replications of that personal data, in light of available technology, and the cost of implementation including technical measures.[7] Furthermore, if so requested, the Data Controller must inform the data subjects about the recipients of their personal data.
Google Spain v. AEPD and Mario Costeja González[8]
This Right came into the spotlight with the famous case involving Google. In 2010, Mr Costeja, a Spanish national, complained before the Spanish Data Protection Agency because he was unhappy with the fact that if internet users entered his name in the Google search engine, two links to the newspaper “La Vanguardia Ediciones” would appear where his name would be present and connected to the real estate auction with regard to the attachment proceedings initiated for the recovery of social security debts.
Mr Costeja requested:
- the newspaper to have such references removed or altered; and
- Google to have his personal data removed or concealed.
The Spanish Agency dismissed the complaint in relation to the newspaper but upheld it with regards to Google.
To this end, the CJEU concluded that data subjects have a right to erasure and required search engines to remove, upon a person’s request, links to webpages that appear when searching that person’s name unless “the preponderant interest of the general public” in having access to the information justifies the search engine’s refusal to comply with such request.[9]
When the Right to Erasure does not apply
Note that the Right to Erasure is not absolute. The Data Controller may be exempt from actioning such request depending on the circumstance. If challenged, Organisations must be prepared to defend the decision to apply an exemption to the Supervisory Authority or a Court of Law.
Some of these exemptions apply if:
- the processing is protected by the right of freedom of expression and information;
- the processing is necessary to comply with a legal obligation;
- the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority;
- the processing is necessary for reasons of public interest in the area of public health;
- the data is being used for archiving purposes in the public interest, scientific or historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing; or
- for the establishment, exercise or defense of legal claims.
In practice this means that Organisations must:
- firstly, have systems, databases and solutions that allow for this level of intervention; and
- secondly, have procedures in place to ensure that effective deletion takes place following receipt of a data subject request.
Therefore, the impossibility of Organisations to respond to data subject requests due to technical incapability will no longer be considered as an acceptable justification.[10]
Right to Restrict Processing[11]
When there is disagreement over whether the right to erasure applies, Article 18 establishes a procedure which allows data subjects to seek restriction of processing. Hence, in addition to having systems for deletion in place, Organisations need to be capable of halting processing activities.
Data subjects may restriction processing when one of the following conditions applies:
- the accuracy of the collected personal data is contested, and the Data Controller is in the process of verifying its accuracy;
- the processing is unlawful and the data subject requests restriction instead of the erasure of personal data;
- the Data Controller no longer requires the personal data for the purposes for which it was collected, but the data subject wants to maintain it for the establishment, exercise or defence of legal claims; and
- the data subject has objected to the processing and the Data Controller is in the process of verifying whether its legitimate grounds override the interests of the data subject.[12]
When a data subject requests restriction, the Data Controller should temporarily remove the data from a general filing system or from a public website in order to avoid further processing. Additionally, Recital 67 of the GDPR specifies that Data Controllers should flag the restricted data in a way that makes clear that processing is restricted. [13]
Once processing has been restricted, such personal data shall only be processed:
- with the data subject’s consent; or
- for the establishment, exercise or defence of legal claims; or
- for the protection of the rights of third parties; or
- for reasons of important public interest of the Union or of a Member State; and
- the Data Controller is obliged to inform the data subject before lifting such restriction.[14]
Right to Data Portability[15]
The creation of this new right aims to increase user choice of online services because it grants data subjects the right to receive the personal data provided to the Data Controller, in a structured, commonly used and machine-readable format as well as transmit it, where it is technically feasible, to another Data Controller without hindrance. This effectively allows and facilitates data subjects’ ability to move, copy or transfer their personal data easily from one IT environment to another in a safe and secure way, without interference to usability. Additionally, this direct transmission is an important tool that will support the free flow of personal data in the EU and foster competition between Data Controllers.[16]
Furthermore, the right to data portability needs to be seen:
- in the scope of the higher degree of control that the GDPR gives to data subjects together with stricter rules and principles and an accountability duty of the Data Controller with regards to the processing of personal data;
- against the backdrop of a digital era of digitalisation and digital transformation whereby personal data has become part of virtually all areas of society, life, business and tons of processes, ranging from buying online to seeking online customer service and all the big data processes going on in myriad digital data processing activities.[17]
Albeit this Right to Data Portability is seen as complementary to the Right to Access,[18] it is very narrow in scope since it applies:
- to personal data actively and knowingly provided by and concerning the data subjects;
- to personal data which is processed by automated means (no paper records); and
- only where the lawful basis for processing is consent or contract.[19]
The phrase ‘provided by’ is not limited to forms completed by the data subject, but it covers any information:
- lawfully gathered by the Data Controller in the course of its dealings with the data subjects; or
- generated from observation of the data subject’s activity; and
- which does not extend to personal data derived or inferred by the Data Controller.
Moreover, not only are Data Processors contractually obliged to assist Data Controllers with responding to portability requests, but the original Data Controller is not responsible for the receiving Data Controller’s compliance with Data Protection laws.
Another point is that exercising this Right does not automatically lead to the deletion of the concerned data and the data subject can still use the services of the original Data Controller as long as their data is being processed. Furthermore, when exercising the Right to be Forgotten and the Right to Data Portability, the latter cannot be used by the Data Controller as an excuse to delay or refuse the former.
Data Portability & Third-Party Data[20]
One tricky question is what to do if the requested data relates to more than one person, for example:
- an email relates to the sender and the recipient;
- bank details relate to the payer and the payee;
- information in a social media account relates to the individual, to their friends and connections.
This Right shall not adversely affect the rights and freedoms of others. In this regard, the WP29 provides, in its guidelines, that to prevent adverse effects on the third parties involved, processing by another Controller is only allowed to the extent that the data is kept under the sole control of the requesting user, is only managed for purely personal needs and the receiving Controller must not use third party data for his own purposes.
The WP29 further states that Data Controllers should implement tools which enable data subjects to select the data they want to receive, transmit and exclude, which in itself further reduces risks for third parties if their data is included. Additionally, Controllers should implement consent mechanisms, to ease data transmission where third parties are willing to give their consent.
When the Right to Data Portability does not apply
Note that the Right to Erasure is not absolute. The Data Controller may be exempt from actioning such request depending on the circumstance. If challenged, Organisations must be prepared to defend to the Supervisory Authority or a court the decision to apply an exemption.
Some of these exemptions include:
- where processing is based on a legal ground other than consent or contract; or
- where the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller; or
- when the processing is necessary for the Data Controller’s compliance with a legal obligation; or
- where the personal data is held in physical form.
Right to Object[21]
Data subjects have the Right to Object, at any time, to the processing of their personal data on grounds relating to their particular situation. This includes:
- direct marketing;
- the processing of personal data for scientific or historical research and statistics;
- the processing of data for tasks in the public interest;
- the exercising of official authority vested in the Data Controller;
- objections to data processing in the Data Controller’s or a third party’s legitimate interest;
- objections to data processing based on the data subject’s own beliefs and situations.
If an objection to the use of personal data for direct marketing is received, the Data Controller must immediately halt such processing, including any profiling. Moreover, this does not mean that the personal data must be immediately deleted but must be suppressed to prevent them from receiving any future direct marketing.
Where a valid objection has been made, the Data Controller shall no longer process the personal data unless he demonstrates compelling legitimate reasons to continue processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
Rights in relation to automated decision making, including profiling[22]
Data subjects have the right not to be subjected to a decision based solely on automated processing, that is, processing carried out without human intervention which produced legal effects or significantly affects the data subjects.
Automated decision making is only permitted:
- when it is authorised by Union or Member State law;
- when it is necessary for the performance of a contract; and
- with the express consent of the data subject.
The Data Controller shall implement suitable measures to safeguard the data subject’s rights, freedoms and legitimate interests, at least the right:
- to obtain human intervention on the part of the Data Controller;
- to express their point of view; and
- to contest the decision.
Time limit to Reply
The statutory response time is one (1) calendar month starting from the day after the request is received, irrespective of whether it is a working day or not, until the corresponding calendar date of the following month. If there is no corresponding calendar date (because the following month is shorter), the date for response is the last day of the following month. If the corresponding date falls on a weekend or a public holiday, the response may be submitted on the next working day. For practical purposes, if a consistent number of days are required (e.g. for operational or system purposes), it may be helpful to adopt a twenty-eight (28) day period to ensure compliance is always within a calendar month.
The Data Controller shall have the power to extend the time limit to respond by a further two (2) months, by and after providing a written plausible justification to the data subject, if the request is complex or a number of requests were received from the particular data subject.
Verification of Identity
In order to maintain the principle of proportionality and to prevent fraudulent removal requests from people impersonating others, or improperly seeking to suppress legal information, before a request is actioned, appropriate steps need to be taken to identify and verify the data subject making the request.
If reasonable doubts as to the identity of the data subject arise, the Data Controller may request any additional information necessary to confirm the identity. The period for responding to the request commences when the Data Controller receives the additional information.
If the Data Controller is not able to verify the identity of the data subject, the Data Controller shall be exempt from the application of the rights of data subject.
Data Subject Rights are NOT absolute
Other exemptions which may exempt the Data Controller from actioning such request include the following instances where personal data is being processed for the purposes of:
a) national security;
b) defence;
c) public security;
d) the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;
e) other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, including monetary, budgetary and taxation a matters, public health and social security;
f) the protection of judicial independence and judicial proceedings;
g) the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions;
h) a monitoring, inspection or regulatory function connected, even occasionally, to the exercise of official authority in the cases referred to in points (a) to (e) and (g);
i) the protection of the data subject or the rights and freedoms of others;
j) the enforcement of civil law claims.[23]
Fees
Generally, the Data Controller cannot charge a fee to comply with a request for objection. However, where the request is manifestly unfounded or excessive a “reasonable fee” for the administrative costs of complying with the request may be charged, particularly if it is repetitive e.g. in the event that multiple copies of information are requested.
When a fee is charged, this must be based on the administrative cost for providing the information and the data subject must be promptly informed.
Conclusion
All in all, these expanded rights will, in the process of heightening user control over personal data, create new challenges for Data Controllers to implement systems that are responsive to user requests concerning their data.[24]
[1]<https://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation> accessed 20 May 2019
[2] Article 16 of the General Data Protection Regulation.
[3] <http://gdprandyou.ie/wp-content/uploads/2018/04/Rights-of-individuals-under-the-General-Data-Protection-RegulationAmendedApril.pdf> accessed 20 May 2019
[4] Article 17 of the General Data Protection Regulation.
[5] (n3)
[6] <https://iapp.org/news/a/top-10-operational-impacts-of-the-gdpr-part-6-rtbf-and-data-portability/> accessed 20 May 2019
[7] <https://iapp.org/news/a/top-10-operational-responses-to-the-gdpr-part-7-accommodating-data-subjects-rights/> accessed 20 May 2019
[8] Google Spain v AEPD and Mario Costeja González, Case C-131/12
[9] <https://www.futurelearn.com/courses/general-data-protection-regulation/0/steps/32420> accessed 20 May 2019
[10] <https://www.mycustomer.com/marketing/data/gdpr-and-the-right-to-be-forgotten-how-to-process-requests-for-erasure> accessed 20 May 2019
[11] Article 18 of the General Data Protection Regulation.
[12] <https://cnpd.public.lu/en/legislation/droit-europ/union-europeenne/rgpd/chapitre-3.html#article17> accessed 20 May 2019
[13] (n6)
[14] (n3)
[15] Article 20 of the General Data Protection Regulation.
[16] <https://www.i-scoop.eu/gdpr/right-to-data-portability/> accessed 20 May 2019
[17] ibid.
[18] Dr Yanika Micallef, ‘Don’t Underestimate the Subject Access Request’ (2019) < https://www.linkedin.com/pulse/dont-underestimate-subject-access-request-dr-yanika-micallef/> accessed 20 May 2019
[19] <https://www.twobirds.com/~/media/pdfs/gdpr-pdfs/32--guide-to-the-gdpr-subject-access-rectification-and-portability.pdf?la=en> accessed 20 May 2019
[20] (n16)
[21] Article 20 of the General Data Protection Regulation.
[22] Article 22 of the General Data Protection Regulation.
[23] Article 23 of the General Data Protection Regulation.
[24] Article 12 of the General Data Protection Regulation.