The rights of the Data Subjects under the GDPR.
The rights of the Data Subjects under the GDPR.
The Rights of Data Subjects.
The GDPR strengthens the already existing rights of the Data Subjects under the Data Protection Directive (officially Directive 95/46/EC) and also creates new rights for the Data Subjects.
The rights of the Data Subjects under the GDPR are:
-The right to be informed
-The right of access
-The right to rectification
-The right to erasure
-The right to restrict processing
-The right to data portability
-The right to object
-Right to lodge a complaint to a supervisory authority
Right to be informed.
Data Subjects under Articles 13 and 14 of the GDPR have the right to be informed about the collection and use of their personal data.
Controllers must provide data subjects with information including among others their purposes for processing of their personal data, their retention periods for that personal data, and who it will be shared with. It is important that controller must provide this information to data subjects at the time you collect their personal data from them.However, if controllers obtain personal data from other sources, then they must provide data subjects with privacy information within a reasonable period of obtaining the data and no later than one month
Note that there are a few circumstances, which are stated in Article 14 of the GDPR, when controllers do not need to provide people with privacy information, such as if an individual already has the information or if it would involve a disproportionate effort to provide it to them.
Right to Access.
The right of access, commonly referred to as subject access, gives data subjects the right to obtain a copy of their personal data as well as other supplementary information.
Data subjects can request to have access to their personal data. The controller or the processor shall provide information on action taken on a request to the data subject without undue delay and in any event within one month of the request. That period may be extended by two further months, however the controller must inform the data subjects the reasons of the delay.
Right of Ractification and Erasure.
In case a data subject receives a copy of the personal data on him or her from the controller, the data might be incorrect. In that case the data subject can demand rectification.
Data subjects have the right to have their data ‘erased’ in certain cases. Such a case will usually be when the processing fails to satisfy the requirements of the GDPR.
Note that the right of erasure has effect only in case the consent is needed to have a legitimate ground for processing. If the controller have a legal basis or a legal obligation from another relevant law to retain the personal data, then data subjects cannot exercise their right to erasure.
The Right to Restriction of Processing.
Data subjects have the right to restrict the processing of their personal data in certain circumstances. This means that an individual can limit the way that an organisation uses their data. This is an alternative to requesting the erasure of their data.
Data subjects have the right to request controllers to restrict the processing of their personal data in the following circumstances:
-the individual contests the accuracy of their personal data and you are verifying the accuracy of the data;
-the data has been unlawfully processed and the individual opposes erasure and requests restriction instead;
-controller no longer need the personal data but the individual needs controller to keep it in order to establish, exercise or defend a legal claim; or
-the individual has objected to controller processing their data under Article 21(1), and controllers are considering whether their legitimate grounds override those of data subject.
It is important to note that controllers or processors must notify the data subject before lifting a restriction.
The Right to Data Portability
Data subjects have the right to receive the personal data or to transfer their personal data between controllers.
This right will make it easier for customers/data subjects to switch to another supplier. The controller must allow account information to be transferred to a competitor.
The right to data portability does not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
The Right to Object.
A controller must have a lawful basis for processing personal data. Where that lawful basis is either ‘public interest’ or ‘legitimate interests’ (including profiling); data subjects may have a right to object to such processing.
The GDPR requires the organization to demonstrate that it either has compelling grounds for continuing the processing, or that the processing is necessary in connection with its legal rights. If it cannot demonstrate that one of these apply, it must cease that processing activity.
The Right to Lodge a Complaint with a Supervisory Authority.
Data subjects have the right to lodge a complaint concerning the processing of his or her personal data with the supervisory Authority in the member state where they live, or in the member state where the alleged infringement occurred.