GDPR Data Subject Rights - What You Need to Know
2 likes2,183 views
The document outlines the rights of data subjects under the General Data Protection Regulation (GDPR), including rights to access, erasure, rectification, and restriction of data processing. It emphasizes the responsibilities of data controllers to provide accurate information and to comply with requests related to personal data. Additionally, it highlights potential penalties for non-compliance and provides resources for further information on GDPR implications.
GDPR Data Subject Rights - What You Need to Know
- 1. Data Subject Every person is considered a Data Subject: citizens, consumers, customers, business partners, employees, you and me. Your company. You are controlling, reviewing, comparing and aggregating data about your customers (e.g. web analytics data). Data Controller Any information relating to an identified or identifiable natural person (in other words: the Data Subject). Personal data Right of access Right to erasure The purpose of processing. Categories of personal data. Recipients of the data. A copy of the collected personal data. Data Controllers have to provide Data Subjects: Data Subjects can request correction of their data if they see it is not accurate or truthful. Data Controllers have to erase or rectify (fix / adjust) inaccurate or incomplete data. Why the Data Controller is processing the data. What categories of data are being processed. Whether the Data Controller is processing their data. Will the Controller share their data and with who. How long the data will be stored. That they have the right to erasure, rectification, restriction of processing, and to object to processing. That they have the right to complain to the Data Protec- tion Authority (DPA). If there is automated processing that has a significant effect on them. Data Subjects have the right to know: The data was collected unlawfully. The time limit for the storage of the data has expired. The Data Subject objects to their personal data being pro- cessed. The data was collected when the Data Subject was a child. The purpose of collecting and processing data has changed. Erasure is necessary to comply with EU or Member State law. Personal data has to be removed within ONE MONTH when: Right to restrict processing They contest the accuracy of the data. The processing is unlawful and they request restriction. The controller no longer needs the data for their original purpose, but the data is still required by the controller to establish, exercise or defend legal rights. There is an erasure request and the Data Controller is verifying it. Data Subjects can stop Data Controllers from performing specific actions with their data (the Controller may only hold the data or use it for limited purposes). Data Subjects can restrict the processing of their personal data if: IMPORTANT : The Data Controller has to ensure that all distributed personal data was removed. Even the data that was processed by 3rd parties! Right to rectification The General Data Protection Regulation comes into effect on May 25th 2018 and introduces a list of Data Subjects’ rights to protect internet users. Learn how Data Controllers can ensure these rights and avoid severe fines, as high as €20m or 4% of your company’s yearly turnover. Resources: The Final Text of the GDPR Including Recitals https://gdpr-info.eu/ 5 GDPR Rights With Serious Technical Consequences https://goo.gl/Jvgz5L How Will GDPR Affect Your Web Analytics Tracking? https://goo.gl/JCZkKs Bird & Bird: Guide to the General Data Protection Regulation https://goo.gl/kwwNqH Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation https://goo.gl/ud2crx Right to data portability Provide the Data Subject’s personal data in a usable, transferable format for further use. Such information must be provided free of charge. BUT! The Data Controllers can protect themselves from Data Subjects requesting data over and over again with no real reason by imposing an acceptable fee for each particular request subject. Right to object to processing Compelling legitimate grounds for the processing which override the interests, rights and freedoms of the Data Subject. That the processing requires the data for the establishment, exercise or defense of legal rights. The right to object to direct marketing is absolute and the Data Controller must cease such processing. In other cases the Controllers must cease such processing unless they can demonstrate: Processing based on legitimate interests (e.g. public interest). Processing for purposes of scientific/historical research and statistics. Direct marketing (including profiling). Data subjects have the right to object to the processing of personal data including: NO