GDPR – Data Subjects’ Rights (Part 2)

  • Home
  • GDPR – Data Subjects’ Rights (Part 2)
  • 25
    Oct 17

GDPR – Data Subjects’ Rights (Part 2)

Tags : 

security-lockersData subjects’ rights is, perhaps, one of the most widely misunderstood aspects of the General Data Protection Regulation (GDPR). The Data Protection Act (1998), DPA, provides many rights to individuals and the GDPR can be seen as clarifying and extending those rights.

The GDPR provides the following rights for individuals:

  1. The right to be informed
  2. The right of access
  3. The right to rectification
  4. The right to erasure
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object
  8. Rights in relation to automated decision making and profiling.

An earlier article looked at the first four rights and so in this article we’ll consider the last four rights:

  • The right to restrict processing – when processing is restricted, you are permitted to store the personal data, but not further process it. You can retain just enough information about the individual to ensure that the restriction is respected in future.
  • The right to data portability – you must be able to allow data subjects to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.
  • The right to object – data subjects can object to processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling), direct marketing (including profiling) and processing for purposes of scientific/historical research and statistics.
  • Rights in relation to automated decision making and profiling – you may not automatically process personal data if the automated system can a make a potentially damaging decision without human intervention.

For processing to be lawful under the GDPR, you need to identify a lawful basis before you can process personal data. It is important that you determine your lawful basis for processing personal data because your lawful basis for processing has an effect on data subjects’ rights.

The right to restrict processing

A data subject may require you to stop processing their personal data when:

  • the data subject contests the accuracy of the personal data;
  • you are processing the personal data for the performance of a public interest task or for the purpose of legitimate interests and you are considering whether your organisation’s legitimate grounds override those of the data subject;
  • processing is unlawful and the data subject does not require the personal data erased but requests restriction instead.
  • you no longer need the personal data but the data subject requires the personal data to establish, exercise or defend a legal claim.

When processing is restricted, you are permitted to store the personal data, but you must not process it. You can retain just enough information about the data subject to ensure that the data processing restriction is respected in future.

If you have disclosed the personal data in question to third parties, you must inform them about the restriction on the processing of the personal data, unless it is impossible.

The right to data portability

The right to data portability only applies:

  • to personal data which a data subject has provided to you;
  • where the processing is based on the data subject’s consent or for the performance of a contract;
  • when processing is carried out by automated means.

You must provide the personal data in a structured, commonly used and machine readable form such as CSV or XML files. This enables other organisations to use the data. You may be required to transmit the data directly to another organisation if this is technically feasible.

You must respond within one month and you may not charge for providing the personal data. If you are unable to supply the personal data because the request is complex or you receive many requests then you must inform the data subject of this within one month and you can extend the time to comply with the request to two months.

If you decide not to comply with the request then you must explain why to the data subject within one month and informing them of their right to complain to the ICO and to a judicial remedy .

The right to object

Data subjects must be informed of their right to object “at the point of first communication” and in your privacy notice. This information must be “explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information” and you must offer an online way for data subjects to object to the processing of their personal data.

If you process personal data for the performance of a legal task or your organisation’s legitimate interests then data subjects can object to the processing of their personal data only on “grounds relating to his or her particular situation”. Once you receive an objection you must stop processing the personal data unless you can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual or the processing is for the establishment, exercise or defence of legal claims.

If you process personal data for direct marketing purposes then you must stop processing personal data for direct marketing purposes as soon as you receive an objection and you can not refuse to do this.  Objections about direct marketing must be dealt with at any time and you may not charge for this.

If you process personal data for research purposes then data subjects can object to the processing of their personal data only on “grounds relating to his or her particular situation”. You do not need to take note of an objection if you are conducting research which is necessary for the performance of a public interest task.

Rights in relation to automated decision making and profiling

You should identify whether any of your processing operations constitute automated decision making or profiling and consider whether you need to update your procedures to deal with the requirements of the GDPR.

Decisions about data subjects must not be taken by automated means if the decision would produce a legal effect or similar significant effect. However, you can use automated decision making if the decision is necessary for entering into or for the performance of a contract with the data subject; if the decision is authorised by law, or if the data subject provides explicit consent. If you do use automated decision making in these cases then you must provide data subjects with access to human intervention, with the ability to provide their point of view and with an explanation of the decision and how it can be challenged.

Profiling is any form of automated processing which evaluates certain personal aspects of an individual, in particular to analyse or predict their:

  • performance at work;
  • economic situation;
  • health;
  • personal preferences;
  • reliability;
  • behaviour;
  • location;
  • movements.

If you use automated profiling you must:

  • Ensure processing is fair and transparent by providing meaningful information about the logic involved, as well as the significance and the likely consequences.
  • Use appropriate mathematical or statistical procedures for the profiling.
  • Implement technical and organisational measures to enable inaccuracies to be corrected and to minimise the risk of errors.
  • Secure personal data so that the interests and rights of data subjects are not compromised.

You must not automate decisions about children, or automate decisions about any data subjects based on the processing of the special categories of data unless you have explicit consent from the data subject or if the processing is being carried out for reasons of substantial public interest.

News Archive

More Information (PDF)

Smarter Technologies Ltd, Unit 1 Broadfield Industrial Estate, Seymour Street, Heywood, OL10 3AJ | Company No.: 07172781 | VAT No.: 794 7491 68

 Request a Quote

What our clients say:
Andrew JennerAndrew JennerRCD Leaflets
Please pass my thanks on to the team as the whole process from quote to install was unbelievably thorough, efficient and smooth.
Nikki PriceNikki PriceInstil Bio (UK) Limited
Thank you very much for your help on a Saturday! I can’t tell you how very grateful we are to you for helping us out with this last minute request and doing it so promptly.
Sharon HamerSharon HamerThe Housing Link (2003)
Thank you for all your advice, help and support. I would not hesitate to recommend Smarter Technologies.
Lynne SprigingsLynne SprigingsBolton Young Persons Housing Scheme
As a small charity it’s really important for us to have reliable and responsive IT support, which Smarter Technologies supplies.
Jane HaywardJane HaywardYMCA Black Country Group
The service I have received has been excellent, from the initial meeting where the process was explained to managers, right down to coming out to go through SharePoint with me.
Maura JacksonMaura JacksonBackup North West
Smarter Technologies have looked after our IT for well over 10 years. They are fabulous, knowledgeable, hard working, thorough, reliable, good value for money and proactive.
Jim GowmanJim GowmanYMCA Black Country Group
I want to pass on the thanks received today from across all parts of the YMCABC teams about how robust the IT systems have been. We have had to get to grips with remote working and with this pandemic it has come into its own.
Bill LeesBill LeesThe Housing Link (2003)
Smarter Technologies make so many complicated things sound clear and understandable in a way that I completely understand.
Andrew BeeputAndrew BeeputThe Bond Board
Smarter Technologies really understand the pressure charities are under and consider this when making recommendations. They saved us so much money – I can’t put a price on their help. It was invaluable.
Richard BoydRichard BoydRed Flame Marketing
I found the IT support for my small business to be excellent. Everything is clearly explained in non-technical language; prompt service and very affordable. Will be recommending Smarter Technologies to other businesses. (In fact, I already have!).
Dave BagleyDave BagleyUrban Outreach (Bolton)
Thanks again for the swift response from Smarter Technologies to our IT needs recently. All is working perfectly.
David Lackner-SmithDavid Lackner-SmithThe Sanctuary Trust
It’s great being able to rely on such prompt service from Smarter Technologies, it really gives us peace of mind knowing that our IT support is provided by a team that will go the extra mile.
Graham EvansGraham EvansThe Housing Link (2003)
We have a tight budget and Smarter Technologies has enabled us to ‘work smarter’ and provide fast assistance to those who need it. It has played an integral role in the success of this charity.
Jim GowmanJim GowmanYMCA Black Country Group
Just to say to the Smarter Technologies team, thanks for a very smooth transition into the 21st Century of IT with our upgraded equipment. All aspects of the installation have received positive feedback from day one.
Tracey PeaceTracey PeaceRamsbottom Kitchen Company
The Smarter Technologies team are like extended members of our staff and always go the extra mile. The team come in early and stay until they finish – they even lock up for us.
prevnext

© 2011-2024 Smarter Technologies Ltd  |  Privacy Statement

%d bloggers like this: