GDPR – Data Subjects’ Rights (Part 1)

  • Home
  • GDPR – Data Subjects’ Rights (Part 1)
  • 18
    Oct 17

GDPR – Data Subjects’ Rights (Part 1)

Tags : 

security-lockersData subjects’ rights is, perhaps, one of the most widely misunderstood aspects of the General Data Protection Regulation (GDPR). The Data Protection Act (1998), DPA, provides many rights to individuals and the GDPR can be seen as clarifying and extending those rights.

The GDPR provides the following rights for individuals:

  1. The right to be informed;
  2. The right of access;
  3. The right to rectification;
  4. The right to erasure;
  5. The right to restrict processing;
  6. The right to data portability;
  7. The right to object; and
  8. Rights in relation to automated decision making and profiling.

In this article we’ll look at the first four rights:

  1. The right to be informed – you should provide ‘fair processing information’, typically through a privacy notice which provides transparency about how you collect and use personal data.
  2. The right of access – you must be able confirm that personal data is being processed and provide access to the personal data on request from a data subject.
  3. The right to rectification – data subjects are entitled to have personal data rectified if it is inaccurate or incomplete.
  4. The right to erasure – also known as ‘the right to be forgotten’. Data subjects can request the deletion or removal of personal data where there is no compelling reason for its continued processing.

For processing to be lawful under the GDPR, you need to identify a lawful basis before you can process personal data. It is important that you determine your lawful basis for processing personal data because this has an effect on the data subjects’ rights. For instance, if you rely on someone’s consent to process their data, then they will generally have stronger rights to have their data deleted.

The right to be informed

You should provide ‘fair processing information’, typically through a privacy notice which provides transparency about how you collect and use personal data.  The information you supply in the privacy notice must be:

  • Concise, transparent, intelligible and easily accessible;
  • Written in clear and plain language, particularly if addressed to a child; and
  • Free of charge.

If you obtain the personal data directly from a data subject you must supply the privacy notice at the time that the data is collected.

If you obtain the personal data from another source you must provide the data subject with the privacy notice within a reasonable period of having obtained the personal data (typically, within one month), or if you are using the personal data to communicate with the data subject, at the latest, when the first communication takes place.

Your privacy notice must contain the following information:

  • The identity and contact details of the data controller (and where applicable, the controller’s representative) and the data protection officer;
  • The purpose and the lawful basis for the processing;
  • The legitimate interests of the data controller or third party, where applicable;
  • The categories of personal data being processed (only if the personal data is not obtained directly from the data subject);
  • Any recipient or categories of recipients of the personal data;
  • Details of transfers to a third country and the safeguards in place;
  • The retention period or criteria used to determine the retention period of the personal data;
  • The existence the data subject’s rights;
  • The right to withdraw consent at any time, if that is the lawful basis for the processing;
  • The right to lodge a complaint with the Information Commissioner’s Office (ICO);
  • The source the personal data originates from and whether it came from publicly accessible sources (only if the personal data is not obtained directly from the data subject);
  • Whether the provision of the personal data is a statutory or contractual requirement or obligation and the possible consequences of failing to provide the personal data; and
  • The existence of automated decision making, including profiling and information about how decisions are made, and the significance and the consequences of such automated decision making.

The right of access

You must be able confirm that personal data is being processed and provide access to the personal data on request from a data subject. The GDPR allows data subjects to access their personal data so that they are aware of and can verify the lawfulness of the processing.

You must be able to verify the identity of the person making the access request, using ‘reasonable means’ and you must provide a copy of the information free of charge. However, you can charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive (you can also refuse to respond to an access request under these circumstances). You may also charge a reasonable fee to comply with requests for further copies of the same information. This does not mean that you can charge for all subsequent access requests. Any fee charged must be based on the administrative cost of providing the information.

If you decide not to carry out a data access request, you must provide an explanation to the data subject and inform them of their right to complain to the ICO and to a judicial remedy.

The right to rectification

Data subjects are entitled to have personal data rectified if it is inaccurate or incomplete. If you have passed the personal data to third parties, you must inform the third parties of the rectification where possible. You must also tell the data subjects about the third parties and what personal information you have passed to them.

You must respond within one month to a data rectification request, but this can be extended by two months when the request for rectification is complex.

If you decide not to carry out a data rectification request, you must provide an explanation to the data subject and inform them of their right to complain to the ICO and to a judicial remedy.

The right to erasure

Also known as ‘the right to be forgotten’. Data subjects can request the deletion or removal of personal data where there is no compelling reason for its continued processing.

Data subjects do not have an absolute ‘right to be forgotten’ but you must erase personal data and prevent processing in specific circumstances:

  • When the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed;
  • When the individual withdraws consent and your lawful basis for processing relies on the data subject’s consent;
  • When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing;
  • The personal data was unlawfully processed (in breach of some other aspect of the GDPR);
  • The personal data has to be erased in order to comply with a legal obligation; or
  • The personal data is processed in relation to the offer of information society services to a child.

You can refuse to comply with a request for erasure when the personal data is processed for the following reasons:

  • To exercise the right of freedom of expression and information;
  • To comply with a legal obligation or for the performance of a public interest task or exercise of official authority;
  • For public health purposes in the public interest;
  • Archiving purposes in the public interest, scientific research historical research or statistical purposes; or
  • The exercise or defence of legal claims.

You should have specific procedures in place to deal a request for erasure if you process the personal data of children, and the child has given consent to processing, regardless of age at the time of the request to erase the data. This is because a child may not have been fully aware of the risks involved in the processing at the time of consent.

News Archive

More Information (PDF)

Smarter Technologies Ltd, Unit 1 Broadfield Industrial Estate, Seymour Street, Heywood, OL10 3AJ | Company No.: 07172781 | VAT No.: 794 7491 68

 Request a Quote

What our clients say:
Graham EvansGraham EvansThe Housing Link (2003)
We have a tight budget and Smarter Technologies has enabled us to ‘work smarter’ and provide fast assistance to those who need it. It has played an integral role in the success of this charity.
Richard BoydRichard BoydRed Flame Marketing
I found the IT support for my small business to be excellent. Everything is clearly explained in non-technical language; prompt service and very affordable. Will be recommending Smarter Technologies to other businesses. (In fact, I already have!).
David Lackner-SmithDavid Lackner-SmithThe Sanctuary Trust
It’s great being able to rely on such prompt service from Smarter Technologies, it really gives us peace of mind knowing that our IT support is provided by a team that will go the extra mile.
Andrew BeeputAndrew BeeputThe Bond Board
Smarter Technologies really understand the pressure charities are under and consider this when making recommendations. They saved us so much money – I can’t put a price on their help. It was invaluable.
Maura JacksonMaura JacksonBackup North West
Smarter Technologies have looked after our IT for well over 10 years. They are fabulous, knowledgeable, hard working, thorough, reliable, good value for money and proactive.
Dave BagleyDave BagleyUrban Outreach (Bolton)
Thanks again for the swift response from Smarter Technologies to our IT needs recently. All is working perfectly.
Bill LeesBill LeesThe Housing Link (2003)
Smarter Technologies make so many complicated things sound clear and understandable in a way that I completely understand.
Andrew JennerAndrew JennerRCD Leaflets
Please pass my thanks on to the team as the whole process from quote to install was unbelievably thorough, efficient and smooth.
Jim GowmanJim GowmanYMCA Black Country Group
I want to pass on the thanks received today from across all parts of the YMCABC teams about how robust the IT systems have been. We have had to get to grips with remote working and with this pandemic it has come into its own.
Tracey PeaceTracey PeaceRamsbottom Kitchen Company
The Smarter Technologies team are like extended members of our staff and always go the extra mile. The team come in early and stay until they finish – they even lock up for us.
Nikki PriceNikki PriceInstil Bio (UK) Limited
Thank you very much for your help on a Saturday! I can’t tell you how very grateful we are to you for helping us out with this last minute request and doing it so promptly.
Lynne SprigingsLynne SprigingsBolton Young Persons Housing Scheme
As a small charity it’s really important for us to have reliable and responsive IT support, which Smarter Technologies supplies.
Jim GowmanJim GowmanYMCA Black Country Group
Just to say to the Smarter Technologies team, thanks for a very smooth transition into the 21st Century of IT with our upgraded equipment. All aspects of the installation have received positive feedback from day one.
Jane HaywardJane HaywardYMCA Black Country Group
The service I have received has been excellent, from the initial meeting where the process was explained to managers, right down to coming out to go through SharePoint with me.
Sharon HamerSharon HamerThe Housing Link (2003)
Thank you for all your advice, help and support. I would not hesitate to recommend Smarter Technologies.
prevnext

© 2011-2024 Smarter Technologies Ltd  |  Privacy Statement

%d bloggers like this: