The Rights of Data Subjects – Articles 12 – 23 of the GDPR

Who is a Data Subject under the GDPR?

Data Subjects are identifiable natural persons in the European Union. They are “Identifiable” if they can be identified, directly or indirectly, by a name, email address, location information or other identifying information, and they are “Natural Persons” if they are alive, and if they are persons, not companies. It is a very broad definition that covers anyone living in the European Union for an extended period of time.

What are a Data Subject’s Rights?

Data Subjects have eight main rights under the GDPR. These rights center around giving Data Subjects knowledge of and control over the information that is collected about them.  The 8 Rights of Data Subjects are:

  • The right to transparency about what data is collected, how it is used and stored, and about what the Data Subject’s other seven rights are. This information should be provided in a clear, concise and easily readable privacy notice.
  • The right to access the personal data
  • The right to rectify personal data that is incorrect or outdated
  • The limited right to have their personal data erased (“the right to be forgotten”)
  • The limited right to restrict processing
  • The right to obtain copies of their data or have their data ported to another company
  • The limited right to object to the processing
  • The right to not be subject to solely automated decision-making that affects the Data Subject.

Exercising these rights should be free of cost to the Data Subjects to the extent possible. Companies should make it easy for Data Subjects to exercise their rights electronically, such as through their online account. Companies should be prepared to respond to Data Subjects’ requests without undue delay and at least within 30 days. If the company can not or will not comply with a request because of a restriction or because the particular right does not apply in that circumstance, the company should still respond and provide the reason that the request is denied.

Read full article (via www.talacka.com).

Are there limits to a Data Subject’s Rights?

Not all of these rights are absolute, and some depend on the purposes for the processing. If processing is solely for marketing purposes, all of these rights kick in.  Online advertisers and their partners need to be especially careful about the chain of custody and their use of Data Subject’s personal information, and as laws like the California Consumer Protection Act come to the United States, American citizens are also gaining rights like these.  These rights can also be restricted by other national laws or if the personal data is being processed for health and safety or security reasons

In other circumstances where the company has a different purpose for processing the personal data, determining which rights a Data Subject has is a bit of a matrix. If companies are clear on the purpose of processing, it will be easier to determine which Data Subject’s rights apply in each case.  In all cases, though, the risk to the Data Subject must be given priority in determining the balance of risks in processing personal information or responding to a Data Subject request.

Contact us for help in setting up a request response system or determining how to respond to a customer request about their personal information.