The right to protection of personal data is a fundamental right guaranteed by the European Union in the framework of the GDPR.
A right of control granted to each individual who can concretely claim :
Transparency on what is and will be done with their data
To be able to rectify incorrect data
To delete specific data
To be able to object to processing, particularly in the case of profiling
To have their data returned to them
These different rights pave the way for compliance with the GDPR. Every action must align with these rights, i.e., putting in place the appropriate processes to respect them and ensure that individuals have protection and control over their private lives.
Find out the main steps you need to take to become GDPR compliant
All this is done over a certain period and according to specific rules. However, only some things are possible.
For example, an individual cannot demand the deletion of data if held lawfully or if necessary for the performance of a contract they have signed.
As you can see, the main rules and numerous application cases exist. Hence the need to include all these rules and conditions in procedures applicable to the company.
To comply with your obligations and secure your practices, we advise you to :
Centralize the procedure for managing requests
Collect requests daily
Have the departments concerned by the request work together
Have the tools to determine whether to respond to a given request, what to respond to, and how to respond
And it is precisely these good practices, resulting from concrete customer problems, that the Data Legal Drive platform can implement efficiently.
GDPR right to information
What is it?
Any person whose data are processed has a right to information.
The right to information is the right to demand that the entity processing one’s data be transparent about the processing carried out and the various rights the person has concerning their data.
The content of this information relates to :
Why: why are my data being processed?
How: what do you do with my data, and for how long?
By whom: to whom do you communicate my data?
What can I do about it: what right do I have over your processing, and how can I object to it?
The GDPR does not give a precise form for communicating the information relating to the right to information. Still, it requires that it be displayed at the exact moment for data collection and that it be easily accessible, understandable, and formulated in clear terms. The information buried in small print in general terms and conditions and drafted excessively legally must comply with this requirement for clarity and education.
The watchword of this right is clarity. Regardless of his legal maturity, the user must be able to make decisions with full knowledge of the facts.
They must have all the keys to keep their personal data under control.
To respect this fundamental right, the target of the processing must be aware of :
The purpose of the data collection and whether it is mandatory or optional
The identity of the controller
The recipients of the data
Any transfers of data outside the European Union
The rights that they can exercise to maintain control
RGPD right to information: use cases
The more sensitive or massive the processing, the more comprehensive and transparent the information provided to meet the right to information should be.
For a company like Google, the information must appear complete and precise while remaining clear, with the possibility of navigating in detail via links and contextual menus. Users must be able to configure the confidentiality of their personal information vis-à-vis Google and third parties in as many ways as possible.
To go further
GDPR right to information: what information should be communicated to data subjects?
1. In the case of collecting information directly from the person concerned
Article 13, paragraph 1 provides that the controller must provide the following information.
The identity and contact details of the controller and, where appropriate, of the controller’s representative
Where applicable, the contact details of the Data Protection Officer
The purposes of the processing for which the personal data are intended and the legal basis for the processing
The external recipients of this data (service providers, suppliers, partners, etc.)
The legitimate interests pursued by the data controller, where the processing uses this basis
Furthermore, to guarantee fair and transparent processing of personal data, paragraph 2 of the said article requires the controller to provide additional information, namely:
The time the personal data will be kept or, where this is not possible, the criteria used to determine this length of time
The existence of the right to request from the controller access to, rectification, or erasure of personal data, or a restriction of the processing concerning the data subject, or the right to object to the processing and the right to data portability
Where the processing is based on your consent, the right to withdraw consent at any time, without prejudice to the lawfulness of the processing based on consent carried out before the withdrawal of consent
The right to lodge a complaint with a supervisory authority
Information on whether the requirement to provide personal data is of a regulatory or contractual nature, whether it is a condition for the conclusion of a contract, and whether the data subject is obliged to provide the personal data, as well as information on the possible consequences of not providing such data.
The existence of automated decision-making, including profiling, has legal effects on the data subject and may use special categories of data or at least useful information about the underlying logic, as well as the significance and intended consequences of such processing for the data subject
2. In the case of indirect information collection
Article 14 contains the same list as Article 13 but adds a subtlety. Indeed, in the indirect collection of personal data, the controller must provide the categories of personal data concerned by the processing.
Furthermore, when providing additional information, the controller must provide “the source from which the personal data originate and, where appropriate, a statement as to whether or not they have been obtained from publicly available sources” (Article 14(2)).
When must this information be provided?
If the data were collected directly from the data subject, then the information must be provided at the time the data were obtained.
If, on the other hand, it is an indirect collection, the controller must provide the data subject with the information:
Within a reasonable period not exceeding one month, taking into account the specific circumstances in which the data are processed
The information must be provided during the first communication if the controller uses a data subject’s data to communicate with them
GDPR right of access
What is it?
Consecrated by Article 15 of the General Data Protection Regulation, the GDPR right of access is the counterpart of the right to information.
By exercising the right of access under the GDPR, the individual requires from the entity processing their data information that is more or less the same as the information that must be provided at the time of data collection. But while the right to information gives the individual the initial information, in a block, the right of access allows the individual to control in real time what is being done, at a given moment, with their personal data.
The right of access is the best way to check that the use of the data has stayed within what they could reasonably expect. If this use is no longer appropriate, or if the person feels that the entity has not provided them with all the information required, they may exercise other rights, such as the right to the erasure of their data, or even go so far as to file a complaint with the supervisory authority.
Indeed, the strength of the right of access is that it is not subject to any conditions as long as the request is not manifestly abusive (for example, it is not the umpteenth request concerning the same data in a short period).
The entity is obliged to comply with the request and deliver the information within one month, which may be extended to two months in the case of legitimate circumstances to be justified by the entity.
Let us take the typical case of the estate agency and processing for contractual purposes on the one hand and marketing on the other.
An owner has put his property under rental management with an estate agency. At the end of the lease, the owner terminates the rental management contract with the agency. However, the owner continues to receive commercial offers from the agency by email. Noting that the offers are particularly suited to his situation and to know the agency’s information, he exercises his right to access.
In response, the agency sent him all the data it held on him. He confirmed that data concerning him should have been processed for something other than marketing purposes, particularly data relating to his financial and family situation. He then decided to withdraw his consent to the processing of his data and to exercise his right to the erasure of his data, arguing that the contract had been terminated.
The agency proceeded with the deletion but warned the owner that the data strictly related to the rental management contract would be archived for a certain period corresponding to the contractual limitation period. It confirms that all other data is deleted and that the landlord will no longer receive commercial offers.
To go further
More specifically, a person exercising their right of access may require the following information:
The purposes of the processing
The categories of data concerned
The recipients or categories of recipients to whom the data have been or will be disclosed, in particular recipients who are established in third countries or international organizations
Where possible, the period for which the data will be kept or, where this is not possible, the criteria used to determine this period
The existence of the right to request from the controller the rectification or erasure of data, a restriction on the processing of data relating to the data subject, or the right to object to such processing
The right to complain to a supervisory authority
Where the data are not collected from the data subject, any available information about their source
The existence of automated decision-making, such as profiling. In such cases, data subjects are also entitled to request any relevant information concerning the underlying logic, significance, and intended consequences of the processing for them.
The subject may request a copy of the data being processed concerning them. In this case, the data controller may demand a reasonable fee, considering the complexity & number of data and the administrative costs thus incurred.
Discover how Data Legal Drive simplifies the management of data subject requests from companies with its "Exercise of Rights" module!
Use my personal information, yes, but only accurate information!
The misleading or erroneous personal information a company uses can lead to negative consequences, especially regarding the communication or storage of this data. Sometimes, the person will want to have it corrected or completed. This is where the right of rectification comes in.
The principle from which this right derives is a principle of fairness: when a third party processes my data, I have the right to demand that these personal data be “accurate, complete and, if necessary, kept up to date,” given the purposes of the processing.
As with the right of access, this right is subject to only proof that the information is accurate. Moreover, the request must not be manifestly abusive.
This right can also be exercised in the event of “digital death“: the personal data of a deceased person can be modified or completed by their beneficiaries, who will request the controller.
If the data has several recipients, the file controller must transmit the rectifications to all concerned actors.
Incorrect information on a form may lead a company to make a calculation that may be prejudicial to you, for example, if you have access to a refund or a benefit that would be estimated lower.
The same applies to information made available to the public, for example, on a website: correcting incorrect information about your medical situation must be possible.
To go further
What are the conditions for exercising the right of rectification?
Article 12 of the GDPR governs the modalities of application of the right of rectification, which is itself described in Article 16 of the GDPR.
The data subject must first prove their data need to be more accurate, complete, outdated, or equivocal. The controller must then validate the evidence provided by the data subject and inform the subject of the rectification as soon as possible. The burden of proof, in this case, lies with the controller.
How to exercise your right of rectification?
To satisfy this request, the data subject must apply directly to the controller (they may also apply to the DPO). The latter may require proof of the data subject’s identity and request other means of evidence to do so (the requirement of disproportionate supporting documents is prohibited).
Exercising this right is free of charge for the applicant. It is the responsibility of the data controller and/or processor, who must demonstrate that they are dealing with the request as quickly as possible (1 to 3 months, depending on the complexity of the request).
Suppose your company does not respond quickly enough or refuses to respond. In that case, the data subject has the right to request a “restriction of processing” (prohibition of any processing of the data concerned) and may complain to the supervisory authority.
Limits to the right of rectification
The right of rectification cannot be applied to the processing of journalistic, artistic, or literary data. Moreover, to protect the confidentiality of investigations, processing relating to police, intelligence, gendarmerie, and FIBOCA files is excluded from the scope of this right.
GDPR Right to erasure/right to be forgotten
What is it?
In the true sense of the word, there is no right to be forgotten under the GDPR, only a right to erasure.
The right to erasure allows you to request the complete deletion of your data. But beware, the holding and using one’s data by a company, for example, can be legitimate. This is why exercising the right to erasure is subject to fairly strict conditions: the data subject must demonstrate that the company’s processing of its data is no longer legitimate, either because it never was or is no longer legitimate.
There must be a reason to exercise the right to be forgotten: for example, the data are no longer kept for the purposes declared when the data were collected.
But even if there is a reason, the company can argue that there are legitimate interests: for example, if the data processing is necessary for freedom of expression and information.
It is also possible to ask for proof of identity (within reason) if there are justified doubts about the identity of the person making the request.
A data subject may request erasure :
Electronically (form, e-mail address, etc.)
By physical means (mail, etc.)
It is essential to do everything possible to enable the person to fully exercise their right to erasure by giving them all the information necessary (procedures for exercising rights, data controllers, the identity of the DPO, etc.)
To respond to an erasure request, the company has between 1 and 3 months from the initial request if it is deemed legitimate (depending on the complexity of the request).
An internet service provider holds personal data about you which is necessary for the performance of the contract for the provision of internet access and/or which it is obliged to retain for legal reasons (investigation of offences by the judicial authorities, etc.).
Once the contract has expired, this data must be kept by the company in order to protect itself against a lawsuit that could be brought against it, for the duration of the applicable statute of limitations. During this time, exercising the right to erasure would be ineffective: the company can refuse to erase your data.
On the other hand, once all the retention periods have expired, the company is obliged to comply with your request for deletion and to formally confirm that it has done so, on pain of unlawful data processing by the company.
To go further
The right to erasure can only be exercised on the following grounds
the personal data are no longer necessary for the purposes for which they were collected or processed
the data subject withdraws the consent on which the processing is based and there is no other legal basis for the processing
the data subject objects to the processing and there are no compelling legitimate grounds for the processing
the personal data have been processed unlawfully
the personal data must be erased in order to comply with a legal obligation laid down by Union law or by the law of the Member State to which the controller is subject
The following justifications allow the data to continue to be processed even in the presence of a legitimate reason, where the processing is necessary
to respect the exercise of the right to freedom of expression and information
to comply with a legal obligation which requires processing under Union law or the law of the Member State to which the controller is subject, or to perform a task carried out in the public interest or in the exercise of official authority vested in the controller
for reasons of public interest in the field of public health
for archival purposes in the public interest, for scientific or historical research or for statistical purposes
for the establishment, exercise or defence of legal claims
GDPR right of objection
What is it?
Any individual has the right to object at any time, to the use of his or her personal data by organisations, such as in the case of processing for commercial prospecting purposes. This is the case even if the processing serves a legitimate purpose.
Unlike the right to erasure, by exercising the right to object, the data subject asks the company not to process his or her data in the future, without necessarily requesting that it be erased.
Nevertheless, the right to object is relative. While in the majority of cases the data subject can exercise this right without giving reasons, some processing operations require legitimate reasons to be put forward in order to exercise the right to object. Specifically, the GDPR requires that its exercise be justified by “reasons relating to his or her particular situation”.
Your company sends out a newsletter about its latest news in order to maintain contact with your prospects. The email addresses of your prospects are therefore used for marketing purposes, and are based solely on the consent given to you by those prospects.
The prospects in question must be able to exercise their right of opposition under the GDPR, as soon as they feel that this processing (the use of their email address to send them prospecting messages) is no longer appropriate to them, so that their addresses are removed from the mailing lists.
This is why each email you send should contain an unsubscribe link: by using it, your contacts exercise their right to object, allowing them to oppose the sending of new emails to their addresses with a simple click.
To go further
How to exercise the right to object?
No formality is required. In other words, the data subject can proceed electronically via a specific form or an online account (website), having previously identified the controller.
This right is free of charge and should be possible for any data subject simply and intuitively.
As with all the other rights discussed, it is essential to inform the data subject of their rights and the procedures for exercising them, for example, using legal notices.
If there is no response or an unsatisfactory response after one month, the data subject may refer the matter to the relevant supervisory authority.
What are the limits of the right to object?
Article 38 of the GDPR sets out the limits to the right to object.
If the request to object does not concern commercial prospecting, the controller may justify his refusal on several grounds:
If there are legitimate and compelling reasons for processing the data or if the data are necessary for the establishment, exercise, or defense of legal claims
This right may be waived if the data subject has given their contractual consent or if the processing of personal data is based on a legitimate interest
GDPR Right to portability
What is it?
How can you avoid being locked into a contract with a company and recover your personal data to change service providers? This is the question that the right to portability answers.
A new right enshrined in the GDPR, the portability request, allows data subjects to have the possibility to retrieve their personal data in a structured, commonly used, and machine-readable format so that they can proceed with a data transfer to a new data controller.
The controller must inform data subjects of the existence of this new right in a “concise, transparent, comprehensible and easily accessible manner, in clear and simple terms,” in particular within the legal notice of the company’s website.
Data subjects should know this before closing an account to transfer their personal data to another controller and start new data processing.
My company, a supplier of connected TVs, processes the preference data of our customers to offer them more comfortable in their daily use. A potential new customer, obviously not satisfied with the services of one of my competitors, contacts my company to get a new connected TV.
But many of his preferences have been saved by the competitor’s system, and it would be impossible or too burdensome for him to keep them again manually.
By exercising his right to data portability, he requires the previous provider to provide us with the data in a suitable format to re-enter the customer’s preferences into the new system.