You are currently viewing Rights of the data subject

Rights of the data subject

The General Data Protection Regulation (GDPR) offers data subjects who have provided their personal data to your company/organization some very important rights regarding the management of that data.

More specifically, here you can find information on the right to erasure, rectification, opposition and restriction of data processing.

What will we touch on in this post?

Erasure of personal data

Delete Black And White GIF - Find & Share on GIPHY

The data subject has the right to ask the controller who has access to their personal data to erase them without undue delay. This right is called the “right to be forgotten” or the “right to erasure”.

The right to erasure of personal data is based on their lawful processing in which all the freedoms and rights of the subject are taken into account.

According to Article 17 of the GDPR, your company’s controller has to erase personal data if:

  1. The data is no longer necessary for the purposes for which it was collected or processed
  2. The data subject withdraws their consent, which was necessary for the processing of their data (for more on this, head over to our article about GDPR consent requirements).
  3. The data subject objects to the processing of their data for reasons relating to their particular situation, unless the controller raises overriding legitimate grounds relating to the interests of the data subject
  4. The data has been unlawfully processed
  5. The data has to be erased because keeping it violates the GDPR, Union law or the law of a Member State to which the controller is subject
  6. The data has been collected in relation to the offer of information society services directly to a child. In other words, the data subject consented to the provision of their data when they were a child and now they want to withdraw their consent. The right to erasure is particularly important in cases where the data subject as a child was not fully aware of the risks associated with the processing and later wants to stop the processing of their data and mainly remove it from the internet

Here’s an example…

If you are a user of a social networking site and decide to leave it, you can ask the company to delete your data.

Screenshot of Twitter's Privacy Policy about deleting your information
Twitter’s example of data deletion

Of course, even if one of the above cases applies, the data subject can’t erase their data if the processing is deemed necessary for the following reasons:

  1. For exercising the right to freedom of expression and the right to information

    For example: Suppose you search your full name on the internet and the results show a newspaper article written many years ago about an issue that has been settled and is no longer relevant.

    If you are not considered a public figure and your interest in having the article removed is more important than the general public interest in the public’s right to information, the search engine will have to remove your full name from web pages that lead to those results.

  2. For complying with a legal obligation that requires processing under Union law or the law of a Member State to which the controller is subject or for performing a task carried out in the public interest or while exercising official authority vested in the controller.

    For example: A new bank offers home loans that are advantageous. You want to buy a house and decide to switch banks. You then ask your former bank to terminate all your accounts and delete all your personal data.

    However, there is a law that applies to the former bank which requires it to store all customer data for 10 years. Therefore, your former bank can’t delete your data despite your demand due to this legal obligation.

    In this case, you can request the restriction of processing of your data. By doing so, the bank will store the data for the period of time required by law and will not be able to process it in any other way.
  3. For public interest reasons related to health (find out more in our article about sensitive data)

  4. For archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

    More specifically, the processing should be subject to appropriate safeguards for the data subject’s rights and freedoms in line with the Regulation. Those safeguards should ensure that technical and organisational measures are in place in order to ensure, in particular, the principle of data minimisation (for more information, check out our article on organisational and technical measures).
  5. For establishing, exercising or supporting legal claims

Finally, your company or organisation should set time limits for deleting or reviewing the stored data.

Right to rectification of personal data

In case the user’s data is inaccurate or untrue, the data subject has the right to request the controller to correct it without undue delay.

Additionally, if, knowing the purposes of the processing, the data subject realises that data important for the processing is missing, they can request your company to complete it, including by providing a supplementary statement.

Anyhow, in any of the cases mentioned above, the company should provide the data subject with the ways they can request correction or completion. For example, it should provide the means to make requests electronically, especially if personal data are processed electronically.

The controller should also be obliged to respond to requests from the data subject without undue delay – within one month at the latest – and to provide reasons when not willing to comply with any such requests.

It’s important that your company informs the data subject of their right to rectification of personal data at any time they want.

Example of Twitter’s privacy policy regarding the right to rectification:

Screenshot of Twitter's Privacy Policy about access, correction and portability
Twitter’s privacy policy regarding the right to rectification

Right to object

The data subject has the right to object, at any time and for reasons relevant to their particular situation, to the processing of their personal data.

If the data subject exercises their right to object, the controller will no longer process their personal data.

If, of course, the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims, then the processing can continue despite the exercise of the right to object by the data subject.

However, in the case of direct marketing (i.e. any action of the company aiming to promote advertising or marketing material to specific individuals), your company is always obliged to stop the processing of personal data if the data subject requests it.

The data subject must be informed of their right to object no later than the first communication with them, clearly and separately from any other information.

Example of Twitter’s privacy policy regarding the right to object:

Screenshot of Twitter's Privacy Policy about objecting to, restricting or withdrawing your consent
Twitter’s privacy policy regarding the right to object

Right to restriction of processing

The data subject is given the option to restrict the processing, after requesting it from the controller, if:

  1. The data subject contests the accuracy of the personal data. In this case, processing may be restricted for the period of time it takes the controller to verify the accuracy of the data.
  2. The processing is unlawful and the data subject requests the restriction of the processing instead of the erasure of the personal data.
  3. The controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims.
  4. The data subject has objections to the processing which is carried out despite their right to object while waiting to ascertain whether the legitimate grounds of the controller override those of the data subject.

In case you want to learn more about the act of processing, check out our article on data processing.

But if any of the above cases apply, when is the processing carried out?

According to Article 18(2) of the GDPR, in addition to storage, personal data may be processed if:

  • The data subject has consented
  • The processing is necessary for the establishment, exercise or defence of legal claims.
  • It’s necessary for the protection of the rights of another natural or legal person.
  • It’s necessary for reasons of important public interest of the Union or a Member State.

It is important to note that in cases where the restriction of processing is lifted, the controller must inform the data subject prior to the lifting.

Let’s look at it in practice…

Some of the methods of restricting processing include temporarily moving the selected data to another processing system, making the selected personal data inaccessible to users or temporarily removing published data from a website.

If your company/organisation uses automated filing systems, the restriction of processing should in principle be ensured by technical means in such a manner that the personal data are not subject to any further processing operations and can’t be changed. The restriction of data processing should be indicated in the system.

Author

Eleni-Kostakoglou
Eleni Kostakoglou
Lawyer