Rights of data subjects
Rights of data subjects
The GDPR aims to protect confidentiality and the fundamental rights and freedoms of natural persons. Therefore, it provides means which allows data subjects to keep under control the processing activities concerning their personal data. In addition to the rights in force under the former legislation, there are new rights which are not so easy to deal with. Let’s see in detail each right with some examples.
Right of access by the data subject
Data subjects have the right to know whether there is a processing activity concerning their personal data and to obtain information on:
a. purposes of the processing which may consist in the fulfilment of orders or execution of contractual obligations, accounting purposes, marketing purposes, provision of health services
b. categories of personal data, such as identification data, data concerning health
c. recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations: data may be passed on to public bodies for their institutional activities or to consultancy firms in case of processing of employees’ data to comply with employment laws and work agreements
d. where possible, envisaged period for which the personal data will be stored, or, if not possible, criteria used to determine that period: for example, billing data shall be stored for ten years to comply with tax laws in force in Italy
e. existence of the right to request rectification or erasure of personal data or restriction of processing of personal data or to object to such processing: it may consist of the rectification of data which are not updated or inaccurate
f. right to lodge a complaint with a supervisory authority: it is a right introduced by the GDPR which allows data subjects to directly contact the supervisory authority, without a prior request to the controller, in order to exercise their data protection rights
g. where the personal data are not collected from the data subject, any available information as to their source: for instance, where data are obtained from phone directories or provided by third parties
h. existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject: profiling may be carried out for marketing purposes (such as retargeting), using profiling cookies installed by a website.
Right of rectification
The person has the right to request the rectification of personal data which are inaccurate, «without undue delay», and, if the case, to provide additional information to complete data which are incomplete.
Right to erasure (right to be forgotten)
The person has the right to obtain the erasure of personal data «without undue delay» and the controller is obliged to erase personal data «without undue delay» if:
a. the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed: if the person signs up to an on-line service and then withdraws the registration, there is no longer purpose to process data and they have to be erased
b. the data subject withdraws consent on which the processing is based and there is no other legal basis for processing: by the withdrawal of consent and if there is no other legal basis which makes data processing lawful, data shall no longer be processed and have to be erased
c. the data subject objects to the processing and there are no overriding legitimate grounds for the processing, or objects to the processing carried out for marketing activities, also in case of profiling: by objecting to processing, the data subject expresses the desire to no longer accept that data are processed for the purposes for which they have been provided and, so, the controller has to erase them
d. the personal data have been unlawfully processed: it is obvious that if processing is unlawful, data shall not be processed any way and shall be erased from any filing system available
e. the personal data have to be erased for compliance with a legal obligation in the European Union or Member State law to which the controller is subject: the erasure is required by law which the controller must comply with
f. the personal data have been collected in relation to the offer of information society services directly to a child (16 years old as for the GDPR; 14 years old as for the Italian legislation) on the basis of consent: without the requirements of the GDPR, children’s data shall not be processed
Where personal data have been made public, the controller is obliged to erase such personal data, and, if feasible, has to inform controllers which are processing such personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
Right to restriction of processing
The person has the right to request that the controller shall process data only for limited purposes.
This right can be exercised if one of the following conditions applies:
a. the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data: during the investigation, data shall not be processed for other purposes
b. the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead: even though the erasure is not requested (right to be forgotten), the person can ask that data are processed only for specific uses
c. the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims: therefore, the person requests not to erase personal data from the filing systems, but to store them to exercise rights in court
d. the data subject has objected to processing and is waiting for the verification whether the legitimate grounds of the controller override those of the data subject: during the investigation, data shall not be processed until the controller informs the person on the legitimate interest which is the legal basis for processing.
Notification obligation regarding rectification or erasure of personal data or restriction of processing
The controller shall communicate any rectification or erasure of personal data or restriction of processing requested by the data subject to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it.
Right to data portability
In Italy this right was already in force in case of specific business activities of the controller. The GDPR extends this right regardless of the controller’s activity. The data subject shall have the right to receive the personal data provided to a controller, in a structured, commonly used and machine-readable format and the person shall have the right to transmit those data to another controller without hindrance from the controller to which those personal data have been provided. This right can be exercised only if the processing is based on consent or on a contract and, at the same time, the processing is carried out by electronic means. The person can ask for the transmission of data directly from one controller to another, where technically feasible and, of course, data transmission shall not adversely affect other persons’ rights. This means that other persons’ data shall be excluded from the transmission.
Right to object
The data subject shall have the right to object, at any time, to processing of personal data, including profiling. The controller shall no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data for such marketing, which includes profiling to the extent that it is related to such direct marketing. The controller shall no longer process data for such purposes. The right to object shall be presented to the person clearly and separately from any other information, at the latest at the time of the first communication with the data subject.
Automated individual decision-making, including profiling
The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning the person or similarly significantly affects the person. This right shall not apply if profiling is necessary for entering into, or performance of, a contract between the data subject and the controller or if it is authorised by Union or Member State law to which the controller is subject or if it is based on the data subject’s explicit consent. The person shall have the right to obtain human intervention on the part of the controller, to express a point of view and to contest the decision. This right is often jointly exercised with the right to object to processing for direct marketing purposes carried out with profiling.
How to deal with data subjects’ rights
The GDPR aims to protect data subjects’ fundamental rights and freedoms and it shall be granted that the person can easily control processing carried out on personal data. In this framework, the controller shall put in place adequate measures to facilitate the exercise of data subjects’ rights and to provide any information requested by the person. Any communication shall be given in concise, transparent, intelligible and easily accessible form. Any information shall be provided in writing or by other means, also by electronic means. If the request is submitted by electronic means (e.g.: e-mail), any information shall be provided by electronic means, where feasible, unless the data subject has otherwise requested. Upon data subject’s request, information may be provided orally, provided that the person’s identity is proven by other means, unless the controller does not demonstrate that it is not in a position to identify the person: note that the person who can exercise the rights is the person to whom data are related. The data subject has the right to mandate a not-for-profit association active in the field of the protection of data subjects’ rights to exercise the rights on the data subject’s behalf. So, the controller is obliged to ascertain the identity of the data subject who intends to exercise the rights granted by the GDPR: if it is not in a position to identify the data subject, the controller may request additional information necessary to confirm the identity of the data subject.
The previous legislation on data protection allowed the controller to reply to the data subject’s requests within fifteen days: the GDPR, instead, requires that the controller shall provide information requested and details on actions taken to the data subject «without undue delay» and in any event «within one month of receipt of the request». That period may be extended «up to three months» where necessary, taking into account the complexity and number of the requests. In such case, the controller shall inform the person «within one month of receipt of the request», explaining the reasons for the delay. Besides, if the controller does not take action on the request of the person, the controller shall inform the data subject, «without delay and at the latest within one month» of receipt of the request, on the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.
Any information provided shall be free of charge and the requests can be submitted by any means. On the other side, where the requests are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may charge a reasonable fee: this fee shall take into account only the administrative costs of providing information or taking the action requested. As an alternative, the controller may refuse to take action on the request. In compliance with the principle of accountability, the controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.
It is a good practice to implement a procedure to deal with data subjects’ rights, so that any question has exhaustive answer, if feasible, by expressing the answers following the list of the questions, so as to avoid that the request is not fully satisfied. At the same time, the filing system needs to be implemented with procedures which allow recording the requests and actions taken.
Right to lodge a complaint with a supervisory authority and effective judicial remedy against a supervisory authority
The person who considers that data processing infringes the GDPR shall have the right to lodge a complaint with a supervisory authority: in particular, in the Member State where the person lives or works or where the alleged infringement of the GDPR has taken place. This means that not necessarily the data subject living in Italy has to lodge the complaint with the Italian supervisory authority; for instance, if the data subject considers that the infringement has taken place in France, the person can lodge the complaint with the French supervisory authority. This procedure complies with the principle of cooperation among the supervisory authorities of the Member States which is highly stressed by the GDPR. The Italian supervisory authority has released a template to lodge a complaint: it can be downloaded at the URL https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/4535524&zx=e0yn0riezmmw and sent to protocollo@pec.gpdp.it.
The supervisory authority shall inform the complainant on the progress and the outcome of the complaint «within three months» including the possibility of a judicial remedy.
In fact, any natural or legal person has the right to an effective legal judicial remedy against a binding decision of the supervisory authority: proceedings against a supervisory authority shall be brought before the courts of the Member State where the supervisory authority is established but also before the courts of the country where the data subject lives. Proceedings against the supervisory authority may be brought when the supervisory authority has not taken in charge the complaint or has not informed the data subject on the progress or the outcome of the complaint «within three months».
As an alternative to the complaint lodged with the supervisory authority, the person may exercise the right to an effective judicial remedy against the controller or the processor, where the person considers that data processing infringes rights. Proceedings against the controller or the processor shall be brought before the courts of the Member State where the controller or the processor has its establishment. Proceedings against the controller or the processor may be also brought before the courts of the country where the person lives.
It should be noted that the person has the right to mandate a not-for-profit body, organisation or association active in the field of data protection, to lodge a complaint on the person’s behalf and to exercise the rights granted by the GDPR, including the right to receive compensation.
Right to compensation
It is remarkable that the data subject who has suffered material or non-material damage as a result of an infringement of the GDPR has the right to receive compensation from the controller or the processor for the damage suffered. Each controller involved in data processing shall be liable for the damage directly caused by processing which infringes the GDPR. A processor shall be liable for the damage caused by processing only where it has not complied with the provisions of the GDPR specifically directed to processors or where it has acted outside or contrary to the lawful instructions received from the controller. The controller or the processor shall be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage: this point is very relevant, as it calls for the need – and the obligation – to comply with the accountability principle which requires to meet all the principles relating to processing of personal data and to demonstrate to adhere to those principles by putting in place appropriate documented procedures and processes. This makes surely easier to produce documents useful to deal with data subjects’ complaints and, most of all, to cooperate with the supervisory authorities in case of their investigations and controls.
Apart from any provision sets out in national laws on the matter of judicial remedy for data protection, the GDPR grants the data subject the right to receive compensation for the damage suffered as a result of unlawful processing. The controller or the processor shall be held liable for the entire damage, in order to ensure effective compensation of the data subject. However, the controller or the processor shall pay for the part of the compensation corresponding to its part of responsibility for the damage. The processor shall pay for the compensation of the data subject for its direct infringement. Where a controller or processor has paid full compensation for the damage caused, that controller or processor shall be entitled to claim back from the other controllers or processors involved in the same processing that part of the compensation corresponding to their part of responsibility for the damage. To clarify this point, this means that if a controller has paid full compensation, also on behalf of the other controllers and processors involved in the same processing and which have caused damage, shall have the right to retaliate against the other controllers and processors for the part of the damage they have caused.
Court proceedings for exercising the right to receive compensation shall be brought before the courts competent under the law of the Member State where the controller or the processor has an establishment or where the data subject lives.
To learn more, read FAQs or contact me.
Leave a Reply