This article will teach you:
- Who has data subject rights under the GDPR
- What data subject rights does the GDPR grant to users
- How they can exercise these rights
- What businesses have to do if approach by a user who wants to exercise a right
- What are the consequences of non-compliance with a data subject request
In terms of comprehensive data protection, you can divide the history on times before the GDPR and times after the GDPR.
The landmark EU regulation was one the first to grant internet users with extensive data privacy rights as well as tools to protect themselves. It has major influence on governments all around the world, so most of the data protection laws being passed since the GDPR tend to be similar to the EU law.
Among other things, it means that the recent privacy laws grant users extensive data protection rights.
But before diving into that, you need to understand the difference between the data controller, data processor, and data subject, because we will be using these terms onward.
Data controller is the business that collects personal data.
Data processor is the business that processes the data on behalf of the controller.
The difference between the two is that the controller decides what, why, and how the data will be processed, and the processor just does the job. For example, you decide that you are going to collect email addresses (the “what”) via signup form the “how”) for delivering your newsletter (the “why”). Mailchimp does the job for you. This means that you are the data controller, and Mailchimp is your data processor.
Data subject, on the other hand, is any internet user whose data you have collected and/or processed. They have rights. When they decide to exercise the rights, you have to comply. If you don’t, you may be fined.
That’s why you need to learn about the data subject rights under the GDPR.
Who Has GDPR Data Subject Rights?
GDPR applies to the interactions between businesses and users in which at least one comes from the European Union.
This means that it applies where:
- Both the business and the user are from the EU
- The business is from the EU and the user is from anywhere in the world
- The user is from the EU and the business is from anywhere in the world
What Rights Does the GDPR Grant to Users?
The GDPR grants data subjects the following data subject rights:
Right to know
What it means: This right allows data subject to request information on whether you collect personal data, what categories of data you collect, why you do that, and anything else related to your privacy practices. This arises from the transparency principle. It requires you to be transparent with users about what you do with personal data and what are the motives behind that.
What data controllers need to provide: When a business, i.e. data controller receives a request to know, they have to provide the data subject with information requested, such as the categories of data collected and processed, purposes for processing, methods of collection and processing, third parties to whom the data has been disclosed, where the data has been transferred, an so on.
Right to access
What it means: The right to access grants the data subject the opportunity to access their own data under your control.
What data controllers need to provide: If you hold their personal name and email address, they have the right to access their personal name and email address. Sometimes the request will pertain to all their data, and sometimes only to parts of it. You have to stick to the actual request and provide access to the data requested.
Right to rectification
What it means: The right to rectification means a right to correct own personal data. For example, the data controller who sends discount codes to customers may have a mistake in the email address of a customer, so she does not receive any codes. That user, i.e. data subject has the right to request rectification of their data, to have their email address corrected and receive the codes.
What data controllers need to provide: The data controller has to simply correct the data subject’s personal data according to their request.
Right to erasure (right to be forgotten)
What it means: The right to erasure of personal data, also widely known as the right to be forgotten, means deleting a data subject’s personal data from the data controller’s records. The data subject may request deletion of all their data or only parts of it. They can, for example, request you to erase their phone number because they want to communicate with you only by email.
What data controllers need to provide: They have to delete the personal data according to the request. Keep in mind that the request to delete some categories of data does not mean deletion of all the data.
Right to restriction of processing
What it means: The data subject can request the data controller to cease processing their personal data if any of the following is true:
- The personal data is inaccurate
- The processing is unlawful, but the data subject chooses restriction of processing over erasure
- The data controller no longer needs the data for processing
- The data subject has objected to the processing, but still awaits for the verification
What data controllers need to provide: The data controller should comply with the request to restrict the data processing of the categories of personal data to which the request pertains.
Right to data portability
What it means: Sometimes users want to transfer their personal data to another data controller. This usually happens when the user changes service providers. For example, they can move from Hulu to Netflix and want to take with them the data that Hulu has collected about them.
What data controllers need to provide: The controller has to create a file with all the personal data of the requester and give it to them. The data has to be in a format that could be usable by other data controllers. If the data subject requests transfer of all the personal data, the controller must not hold any more data of the subject, except in relation with compliance and legal claims.
Right to object
What it means: The data subject can object to the data processing and request the controller to cease processing the data.
What data controllers need to provide: The controller should cease with processing data as requested, unless they show legitimate grounds for keeping doing so. The legitimate grounds have to override the objection grounds of the data subject.
For example, the data subject may object to the processing of their payment data. The controller will have to comply, but if they show that the processing of such data is necessary for fraud prevention, then they can keep processing the payment data.
The exception is the objection to data processing for direct marketing purposes. If the data subject objects to that, the controller must simply comply.
Right not to be part of automated individual decision-making, including profiling
What it means: Some businesses make automated decisions about customers based on algorithms. For example, an insurance company may calculate insurance rate for potential customers based on their personal data (including health data, salary, etc). GDPR allows users to request not to be subject to such decision making.
What data controllers need to provide: They need to cease making decisions about the data subject based on automated means, including profiling.
Exercising the Rights
The road from data subject right on paper to deliverable in practice leads through exercising the data subject rights by the data subjects themselves.
Data subject rights are exercised by submitting data subject requests. Users can submit any kind of data subject request and you will be required to respond timely.
In general, the GDPR requires data controllers to respond to the requests in 30 days, or 60 days for more complex requests. They have to inform the user about the extension of additional 30 days.
If the data controller does not respond or responds insufficiently, the data protection authority may fine them.
In general, exercising data subject rights go through five steps. Here’s how each one of them looks like from the perspective of the data subject and the data controller:
Submitting the request
The data subject submits the request to the data controller. He can submit the request in any way he likes – whether it is by email, a web form dedicated to requests, over the phone, or any other way.
The data controller receives the request. For them, it doesn’t matter how the request has been submitted. They have to accept it. Very often, businesses include data subject request forms on websites or dedicated email addresses, but if the data subject has ignored them, it makes no difference. Every single data subject request that has been received in any way has to be treated equally and responded to.
The data controller has to verify the identity of the requester. This is an important step because personal data may be disclosed in the process and, if that happens, it has to be disclosed to the right person. The controller has to ensure that they do not provide any data to a person that should not access any data.
The data controller should not demand additional personal data for verification of identity unless necessary. It would be ideal to make the verification on the basis of personal data that is already available. For example, you may verify the data related to an email address based on the email address the request has been sent from.
If the data controller cannot reasonably verify the identity of the data subject, they can refuse the request.
The data subject should provide any information required by the controller.
Identify the request
The data controller should identify the request. Data subjects sometimes submit unclear requests. In such a case, the controller should clarify what the request is about. They may also ask the data subject for clarifications.
The data subject should respond to any questions the controller may have. If there are no any, they should just wait at this phase.
Collect and package data
Next, the data controller should inspect, collect, and package the data needed to fulfill the request.
The data subject doesn’t have to do anything.
Fulfill the request
The data controller should fulfil the request in the end. Fulfilling the request may mean providing some data, correction of data, deleting data, or something else.
The data subject should review the delivery. If they are not satisfied with it, they may submit additional requests or complain to the data protection authority.
Data subject requests are not a burden to businesses, nor a tool for users to bother them.
It is a means for better connection between businesses and users. It provides an opportunity for transparency that could eventually strengthen the bond between them. Transparency builds trust, and users’ trust is a great asset for any business.
Awareness around online data privacy grows steadily. Businesses need to comply not only to avoid the hefty fines, but to grow resources as well.
The input is not as high as it seems. Compliance with the requests is rather simple and easy to achieve. The upside, on the other hand, is higher and well worth putting the effort to comply. It is a no-brainer.