GDPR Rights

Right to Erasure

Defined in Article 17, Right to Erasure is one of the data subject rights covered in Chapter 3 of the General Data Protection Regulation (GDPR).

Right to Erasure Summary

• Right to erasure introduces an individual’s rights to request deletion of their personal data
• Right to erasure is also referred to as the right to be forgotten
• This is not an absolute right and only applies in certain circumstances
• Requests for erasure can be made verbally or in writing
• Erasure requests to an organization (data controller) must be processed without undue delay and within one month from when the request is received
• Exceptions apply to extend an organization’s response by an additional two months

Business Considerations for Organizations to Understand

When does the right to erasure apply?

The GDPR provides that individuals have the right to have their personal data erased if:

• the personal data is no longer necessary for the purpose which you initially collected or processed it for
• you are relying on consent as your lawful basis for holding the data, and the individual withdraws their consent
• you are relying on legitimate interests as your basis for processing when the individual objects to the processing of their data and there is no overriding legitimate interest to continue this processing
• you are processing the personal data for direct marketing purposes and the individual objects to that processing
• you have processed the personal data unlawfully (i.e., in breach of the lawfulness requirement of the 1st principle)
• you have to do it to comply with a legal obligation
• you have processed the personal data to offer information society services to a child

When does the right to erasure not apply?

The right to erasure does not apply if processing is necessary for one of the following reasons:

• to exercise the right of freedom of expression and information
• to comply with a legal obligation
• for the performance of a task carried out in the public interest or exercising official authority
• for archiving purposes in the public interest, scientific research historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing
• for the establishment, exercise or defense of legal claims
• some specific special cases of or about public health and health practitioners

Does personal data need to be erased from backup systems?

If an organization receives a valid request for erasure and no exemptions apply, they must take steps to extend erasure from any backup systems, in addition to live systems, where an individual’s data is stored. However, this is dependent upon the organization’s particular circumstances, including their retention schedule, particularly in the context of backup systems, and technical mechanisms available to perform the erasure. It is necessary to be transparent with data subjects regarding specifically what will happen to their data once their erasure request is fulfilled. Transparency is important because an organization may choose to remove data from their live system to satisfy the request in the allotted time, but leave data within their backup environment to remain for a more extended period, until systematically overwritten with newer data. In such situations, it is vital to ensure that data remaining within backup systems are not used for any purposes, and will stay only for a limited amount of time.

Right to Object

Defined in Article 21, Right to Object is one of the data subject rights covered in Chapter 3 of the General Data Protection Regulation (GDPR).

Right to Object Summary

• Right to object allows data allows data subjects to send organizations requests to stop processing their personal data in certain circumstances
• Data subjects must give specific reasons why they are objecting to the processing of their data. These reasons should be based upon their particular situation
• Organizations must disclose to data subjects their right to object processing; often communicated within their privacy notice
• Right to object requests can be made to an organization verbally or in writing
• Objection requests must be handled, by an organization (data controller), without undue delay and within one month after receiving the request
• Exceptions apply to extend an organization’s response by an additional two months

Business Considerations for Organizations to Understand

What are the steps for answering right to object requests?

The initial step in answering right to object requests is to verify whether the claims for objection are legitimate. If verified, the organization must ensure processing is stopped for any legitimate claims made within the request. Once complete, notification to the data subject should be made, confirming the actions made in response to their request.

How does the right to object apply to processing personal data for direct marketing purposes?

If an organization is processing personal data for direct marketing, the data subject has an absolute right to object processing of their data. There are no exemptions or grounds for an organization to refuse requests to stop processing personal data for direct marketing. The same absolute right includes uses for any data profiling which may be related to the personal data the organization is processing. However, this does not mean an organization is forced to erase the data subject’s information. Instead, an organization can suppress their details by using techniques such as pseudonymization or organizational practices like data minimization to ensure the data subject no longer receives direct marketing in the future.

How does the right to object apply to processing based upon public task or legitimate interests?

Similar to the case of direct marketing, an individual has the right to object processing of their personal data if an organization is using the data for research or statistical purposes. However, unlike direct marketing, the right is not absolute. Some exceptions and requirements apply:

• data subjects may object the processing of their personal data if legal basis the organization is relying upon involves legitimate interests or public tasks either performing tasks carried out in the public interest or exercising official authority vested to the organization
• when trying to apply their right to objects for the purposes above, the data subject must provide specific reasons why they are objecting to the processing of their personal data, based upon their particular situation.

However, since the above mentioned purposes do not guarantee an absolute right to objection, an organization can continue processing the personal data if:

• • they can demonstrate compelling legitimate grounds for processing the data, which overrides the interests, rights and freedoms of the individual

• the processing is necessary for the establishment, exercise or defense of legal claims of legitimate interests in which data subjects may have exercised a right to object to the processing of their data.

In a case like that, the individual must provide specific reasons why they are objecting to the processing based upon their particular situation. Additionally, an organization may continue processing personal data if they can demonstrate compelling legitimate grounds for their processing which override the interests and rights of the individual or that processing such personal data is for the establishment in exercising or defending legal claims.

How does the right to object apply to research or statistical purposes?

If processing for scientific or historical research or statistical purposes, then individuals only have highly limited rights to object. As long as an organization applies appropriate safeguards while processing for research purposes as mentioned above, such as either data minimization or pseudonymization, the data subject’s right to object is only legitimate if the lawful basis for processing is either:

• • a public task specifically on the basis that it is necessary to exercise the official authority granted to the organization

• for legitimate interests

This distinction is critical when compared to either the cases of general purposes based upon public tasks or of legitimate interests since the GDPR omits specifying the lawful basis for public entities performing tasks carried out in the public interest. This distinction can confuse organizations and generate risk to them because it may not always be clear whether the basis for tasks is solely in the public interest or for the exercise of official authority. Differentiating between the two may be difficult. For this reason, organizations relying upon the public task lawful basis to continue processing personal data should give deference to the data subject’s reason for objection rather than pursue a lawful basis to continue processing.

Right to be Informed

Defined in Article 13 and Article 14, the Right to be Informed is one of the data subject rights covered in Chapter 3 of the General Data Protection Regulation (GDPR).

Right of be Informed Summary

• Individual data subjects have the right to be informed about the collection and use of their personal data
• Information an organization provides data subjects must be readily accessible, delivered in clear and plain language
• If an organization plans to further process the personal data for reasons other than the purposes the data initially was obtained, the organization needs to inform the data subject prior to any additional processing
• Clear distinctions, and obligations, between personal data collected directly (Article 13) and personal data collected indirectly (Article 14) from the data subject
• Closely related to the lawfulness, fairness and transparency principle and the purpose limitation principle

Business Considerations for Organizations to Understand

 

Right to be informed applies to:

• personal data you sell or process in transactions with other organizations
• personal data you buy or process in acquisitions from organizations
• publicly accessible personal data you process
• personal data processed using Artificial Intelligence and other treatments and sources

 

If personal data is collected directly from the data subject, the organization must inform the data subject at the time of the collection. If personal data is collected from other sources, not directly from the data subject, the organization must inform the data subject within a reasonable amount of time, but no later than one month from when the data was collected.

 

The privacy information an organization needs to provide data subjects is dependent upon the manner in which the personal data was collected. The table below indicates information to provide data subjects based upon whether or not the personal data was collected directly from the individual or indirectly. Checks indicate an affirmative determination from the organization regarding privacy information the organization will provide the data subject using one or more of the organization’s techniques.

Privacy Information	Directly Collected Personal Data	Indirectly Collected Personal Data
Organization’s name and contact information	✔	✔
Name and contact details of representative (if applicable)	✔	✔
Name and contact details of DPO (if applicable)	✔	✔
Purpose of the processing	✔	✔
Lawful basis for the processing	✔	✔
Legitimate interests for the processing	✔	✔
Categories of personal data obtained	✔	✔
Recipients or categories of recipients of the personal data	✔	✔
Details of transfers of the personal data to any third countries or international organizations	✔	✔
Retention periods for the personal data	✔	✔
Data subject rights available to individuals in respect of the processing	✔	✔
Right to withdraw consent	✔	✔
Right to lodge complaints to a supervisory authority	✔	✔
Source of the personal data	✔	✔
Details of whether individuals are under a statutory or contractual obligation to provide the personal data	✔	✔
Details of the existence of automated decision-making, including profiling	✔	✔

How should you provide privacy information to data subjects?

There are numerous techniques an organization can provide data subjects with privacy information, such as:

• Layered — usually short notices containing key privacy information that expand into additional layers containing detailed information
• Dashboards — management tools informing data subjects how their information is used, with preference controls to manage what data they allow the organization to process
• Just-in-time notices — relevant and targeted privacy information delivered at the time personal data is collected from the data subject
• Icons — small, meaningful, symbols that indicate the existence of a particular type of data processing
• Mobile and smart device functionalities — includes pop-ups, voice alerts and mobile device gestures

Depending on the context and resources, organizations can choose to deliver privacy information using a single technique multiple techniques among those above. However, a multi-technique approach is preferred and often is the most effective method to employ in providing privacy information to data subjects.

Right to Rectification

Defined in Article 16, Right of Rectification is one of the data subject rights covered in chapter 3 of the General Data Protection Regulation (GDPR).

Right to Rectification Summary

• Data subjects have the right to have inaccurate personal data rectified
• Data subjects also have the right to have incomplete personal data completed, depending on the purpose for the processing, and may involve the individual provide a supplementary statement to the incomplete data
• Requests for rectification can be made to organizations (data controllers) either verbally or in writing
• Rectification is often based upon resulting information from an individual’s prior subject access request
• Right to rectification requests must be handled, by an organization (data controller), without undue delay and within one month after receiving the request
• This right is closely related to the obligations under the accuracy principle (Article 5) of the GDPR

Business Considerations for Organizations to Understand

What are the steps you take in answering right to rectification requests?

The initial step in answering the right to rectification requests is to verify the accuracy, or completeness, of the personal data in question. Verification is often managed using data discovery tools, especially for organizations processing large amounts of data. If it is determined that the data in question justifies rectification, the organization must do so across all area within the organization where the data is present and captured incorrectly. This enormous task is daunting and complicated to manage manually and so is often executed with technical solutions to handle data subject requests. Lastly, the organization needs to respond to the data subject in a timely way with the resulting actions based on their request.

How do you determine the accuracy of personal data?

Unfortunately, the GDPR does not define how to determine the accuracy of information. However, under the earlier law, the Data Protection Act of 1998, personal data is deemed inaccurate if it is incorrect or misleading as to any matter of fact. The above definition provides a baseline for organizations when justifying rectification for inaccuracies, however other factors should be taken into account, too. Organizations should take into consideration the arguments and evidence provided by the data subject. Additionally, understanding the nature of the personal data is an essential element in addressing inaccuracies. Some rectification requests may result from records that are opinions, rather than factual data. Accuracy of opinions are murky to adequately assess or determine because they are subjective by nature. However, as long as both clear criteria for recording personal data as opinion is presented and, where appropriate, acknowledging whose opinion it is, an organization may have a legitimate basis against data subject’s claims of inaccuracy should the organization prefer or need to continue processing the data in the face of a data subject’s claims of inaccuracy.

How do you prevent right to rectification requests?

Good data governance and management can combat against unreasonable rectification requests. As a matter of emphasis, an important step against challenges of opinion data is to consistently record any data which is opinion accurately, and where appropriate and possible, with the record of whose opinion it is. Additionally, periodic wide-spread data reviews can prevent future urgencies to rectify data based upon data subject requests.

Right to Restrict Processing

Defined in Article 15, Right of Access is one of the data subject rights covered in Chapter 3 of the General Data Protection Regulation (GDPR).

Right to Restrict Processing Summary

• Organizations are required to provide data subjects a copy of their processed personal data upon request
• Commonly referred to as subject access
• Authorization, erasure, a guarantee of completeness and accuracy of content and extent of processing are examples of the reach and applicability of the Right of Access
• Data subjects can request subject access to an organization either verbally or in writing
• Organizations need to respond to subject access requests without undue delay and within one month upon receiving the request; exemptions involving complex or numerous requests from an individual data subject may extend response time by an additional two months
• Delivery of information must be concise, intelligible, and in an easily accessible form, using clear and plain language

Business Considerations for Organizations to Understand

What are the steps for you to answer right of access requests?

The initial step in answering subject access requests is to verify whether the organization is in possession of any personal data pertaining to the data subject. Verification is often done using data discovery tools, especially for organizations processing large amounts of data. Once verified, the organization can begin collecting the information required to satisfy the subject access request, often with the assistance of software tools for processing data subject requests to ensure the accuracy of information gathered. Lastly, the organization needs to deliver the information to the data subject in a concise, intelligible, and easily accessible form, using clear and plain language.

What information is required for you to respond to a data subject access request?

The right to access entitles data subjects to the following information from an organization (from the organization’s data controller):

• confirmation that the organization is processing their personal data
• a complete and clear copy of the personal data collected
• additional supplementary information corresponding to information disclosed in any privacy notice(s) of the organization

What are some examples of supplementary information?

Organizations should have already disclosed any supplementary information required as part of a subject access request within an organization’s privacy notice. Below are examples of the supplementary information associated with the right of access requests:

• organization’s purpose for processing personal data
• categories of personal data concerned
• recipients or categories of recipients an organization discloses personal data to
• retention period for storing personal data, if applicable, or criteria for determining how long the organization will store the personal data
• existence of data subject’s right to request rectification, erasure, restriction or objection to processing
• data subject’s right to lodge a complaint with a local supervisory authority
• information about the source of data if it was not obtained directly from the data subject
• existence of automated decision-making, including profiling
• if applicable, safeguards the organization provides for transferring personal data to a third country or international organization