GDPR: The control rights granted to individuals
The right to protection of personal data is a fundamental right guaranteed by the European Union in the framework of the GDPR.
A right of control granted to each individual who can concretely claim :
- transparency on what is and will be done with their data
- to be able to rectify incorrect data to delete certain data
- to be able to object to processing, particularly in the case of profiling
- to have their data returned to them
It is these different rights that pave the way for compliance with the GDPR. Every action to be taken must be in line with these rights, i.e. putting in place the appropriate processes to respect these rights and ensure that individuals have protection and control over their private lives.
Find out the main steps you need to take to become GDPR compliant
All this is of course done over a certain period of time and according to certain rules. However, not everything is possible.
For example, an individual cannot demand the deletion of data if they are held lawfully or if they are necessary for the performance of a contract that he or she has signed.
As you can see, there are the main rules and numerous cases of application. Hence the need to include all these rules and conditions in procedures applicable to the company.
In order to comply with your obligations and secure your practices, we advise you to
- centralise the procedure for managing requests
- collect requests on a daily basis
- have the departments concerned by the request work together
- have the tools to determine whether to respond to a given request, what to respond to and how to respond
And it is precisely these good practices, resulting from concrete customer problems, that the Data Legal Drive platform allows to implement efficiently.
GDPR right to information
What is it?
Any person whose data are processed has a right to information.
The right to information is the right to demand that the entity processing one’s data be transparent about the processing carried out and about the various rights the person has with regard to his/her data.
The content of this information relates to :
- Why: why are my data being processed?
- How: what do you do with my data and for how long?
- By whom: to whom do you communicate my data?
- What can I do about it: what right do I have over your processing and how can I object to it?
The GDPR does not give a precise form to the communication of the information relating to the right to information, but it requires that it be communicated at the precise moment of the collection of the data, that it be easily accessible, understandable and formulated in clear terms. Information that is buried in small print in general terms and conditions and is drafted in an excessively legal manner does not comply with this requirement for clarity and education.
The watchword of this right is clarity. The user, regardless of his legal maturity, must be able to make decisions in full knowledge of the facts.
They must have all the keys to keep their personal data under control.
In order to respect this fundamental right, it is essential that the target of the processing be aware of
- the purpose of the data collection and whether it is mandatory or optional
- the identity of the controller
- the recipients of the data
- of any transfers of data outside the European Union
- the rights that they can exercise to maintain control
RGPD right to information: use cases
The more sensitive or massive the processing, the more comprehensive and clear the information provided to meet the right to information should be.
For a company such as Google, the information must appear, be absolutely complete and precise while remaining clear, with the possibility of navigating in detail via links and contextual menus. Users must be able to configure the confidentiality of their personal information vis-à-vis Google and third parties in as many ways as possible.
To go further
GDPR right to information: what information should be communicated to data subjects?
1. In the case of collecting information directly from the person concerned
Article 13 paragraph 1 provides that the controller must provide the following information
- The identity and contact details of the controller and, where appropriate, of the controller’s representative
- Where applicable, the contact details of the Data Protection Officer (DPO)
- The purposes of the processing for which the personal data are intended and the legal basis for the processing
- The external recipients of this data (service providers, suppliers, partners, etc.)
- The legitimate interests pursued by the data controller, where the processing uses this basis
Furthermore, in order to guarantee fair and transparent processing of personal data, paragraph 2 of the said article requires the controller to provide additional information, namely
- The length of time the personal data will be kept or, where this is not possible, the criteria used to determine this length of time.
- The existence of the right to request from the controller access to, rectification or erasure of personal data, or a restriction of the processing in relation to the data subject, or the right to object to the processing and the right to data portability.
- Where processing is based on your consent, the existence of the right to withdraw consent at any time, without prejudice to the lawfulness of the processing based on consent carried out prior to the withdrawal of consent.
- The right to lodge a complaint with a supervisory authority.
- Information on whether the requirement to provide personal data is of a regulatory or contractual nature, or whether it is a condition for the conclusion of a contract and whether the data subject is obliged to provide the personal data, as well as information on the possible consequences of not providing such data.
- The existence of automated decision-making, including profiling, which has legal effects on the data subject and which may use special categories of data, or at least useful information about the underlying logic, as well as the significance and the intended consequences of such processing for the data subject.
2. In the case of indirect information collection
Article 14 contains the same list as in Article 13, but adds a subtlety. Indeed, in the case of indirect collection of personal data, the controller must provide the categories of personal data concerned by the processing.
Furthermore, when providing additional information, the controller must provide “the source from which the personal data originate and, where appropriate, a statement as to whether or not they have been obtained from publicly available sources” (Article 14(2)).
When must this information be provided?
If the data were collected directly from the data subject, then the information must be provided at the time the data were obtained.
If, on the other hand, it is an indirect collection, the controller must provide the data subject with the information:
- Within a reasonable period of time not exceeding 1 month, taking into account the specific circumstances in which the data are processed
- If the controller uses a data subject’s data for the purpose of communicating with him or her, the information must be provided at the time of the first communication
GDPR right of access
What is it?
Consecrated by Article 15 of the General Data Protection Regulation, the GDPR right of access is the counterpart of the right to information.
By exercising the right of access under the GDPR, the individual requires from the entity processing his or her data information that is more or less the same as the information that must be provided at the time of collection of the data. But while the right to information gives the individual the initial information, in a block, the right of access allows the individual to control in real time what is actually being done, at a given moment, with his or her personal data.
The right of access is the best way to check that the use of the data has not exceeded what they could reasonably expect. If this use is no longer appropriate, or if the person feels that the entity has not provided him or her with all the information required, he or she may exercise other rights such as the right to erasure of his or her data, or even go so far as to file a complaint with the supervisory authority.
Indeed, the strength of the right of access is that it is not subject to any conditions, as long as the request is not manifestly abusive (for example, it is not the umpteenth request concerning the same data in a short period of time).
The entity is obliged to comply with the request and to deliver the information within a period of one month, which may be extended to two months in the case of legitimate circumstances to be justified by the entity.
Let us take the typical case of the estate agency and processing for contractual purposes on the one hand and marketing on the other.
An owner has put his property under rental management with an estate agency. At the end of the lease, the owner terminates the rental management contract with the agency. However, the owner continues to receive commercial offers from the agency by email. Noting that the offers are particularly suited to his situation and in order to know what information the agency holds, he exercises his right of access.
In response, the agency sent him all the data it held on him. He was given confirmation that data concerning him should not have been processed for marketing purposes, in particular data relating to his financial and family situation. He then decided to withdraw his consent to the processing of his data and to exercise his right to erasure of his data, arguing that the contract had been terminated.
The agency proceeded with the deletion but warned the owner that the data strictly related to the rental management contract would be archived for a certain period of time corresponding to the contractual limitation period. It confirms that all other data is deleted and that the landlord will no longer receive commercial offers.
To go further
More specifically, a person exercising his or her right of access may require the following information
- the purposes of the processing
- the categories of data concerned
- the recipients or categories of recipients to whom the data have been or will be disclosed, in particular recipients who are established in third countries or international
- where possible, the period for which the data will be kept or, where this is not possible, the criteria used to determine this period
- the existence of the right to request from the controller the rectification or erasure of data, a restriction on the processing of data relating to the data subject, or the right to object to such processing
- the right to lodge a complaint with a supervisory authority
- where the data are not collected from the data subject, any available information about their source
- the existence of automated decision-making, such as profiling. In such cases, data subjects are also entitled to request any relevant information concerning the underlying logic, significance and intended consequences of the processing for them.
The subject may request a copy of the data being processed concerning him or her. In this case, the data controller may demand payment of a reasonable fee, taking into account the complexity & number of data, and the administrative costs thus incurred.
Discover how DATA LEGAL DRIVE simplifies the management of data subject requests from companies with its "Exercise of Rights" module!
GDPR – Right of rectification
Use my personal information, yes, but only accurate information!
Misleading or erroneous personal information used by a company can lead to negative consequences, especially when it comes to the communication or storage of this data. In some cases, the person will want to have it corrected – completed. This is where the right of rectification comes in.
The principle from which this right derives is a principle of fairness: when a third party processes my data, I have the right to demand that these personal data be “accurate, complete and, if necessary, kept up to date” in view of the purposes of the processing.
As with the right of access, this right is of course not subject to any conditions other than proof that the information is inaccurate. Moreover, the request must not be manifestly abusive.
This right can also be exercised in the event of “digital death“: the personal data of a deceased person can be modified or completed by his or her beneficiaries who will make a request to the controller.
If the data have several recipients, the controller of the file has the duty to transmit the rectifications to all the actors concerned.
Incorrect information on a form may lead a company to make a calculation that may be prejudicial to you, for example if you have access to a refund or a benefit that would therefore be estimated lower.
The same applies to information made available to the public, for example on a website: it must be possible to correct incorrect information about your medical situation.
To go further
What are the conditions for exercising the right of rectification?
Article 12 of the GDPR governs the modalities of application of the right of rectification, which is itself described in Article 16 of the GDPR.
The data subject must first prove that his or her data are inaccurate, incomplete, out of date or equivocal. The controller must then validate the evidence provided by the data subject and inform the data subject of the rectification as soon as possible. The burden of proof in this case lies with the controller.
How to exercise your right of rectification?
The data subject must apply directly to the controller (he or she may also apply to the Data Protection Officer) to satisfy this request. The latter may require proof of the data subject’s identity and may request other means of proof in order to do so (the requirement of disproportionate supporting documents is prohibited).
Exercising this right is free of charge for the applicant and is the responsibility of the data controller and/or processor, who must demonstrate that they are dealing with the request as quickly as possible (1 to 3 months depending on the complexity of the request).
If your company does not respond quickly enough, or simply refuses to respond, the data subject has the right to request “restriction of processing” (prohibition of any processing of the data concerned), and may lodge a complaint with the supervisory authority.
Limits to the right of rectification
The right of rectification cannot be applied to the processing of journalistic, artistic or literary data. Moreover, in order to protect the confidentiality of investigations, processing relating to police, intelligence, gendarmerie and FIBOCA files is excluded from the scope of this right.
GDPR Right to erasure / right to be forgotten
What is it?
In the true sense of the word, there is no right to be forgotten under the GDPR, only a right to erasure under the GDPR.
The right to erasure allows you to request the complete deletion of your data. But beware: the holding and use of one’s data, by a company for example, can be perfectly legitimate. This is why the exercise of the right to erasure is subject to fairly strict conditions: the data subject must demonstrate that the company’s processing of his or her data is no longer legitimate, either because it never was or because it is no longer legitimate.
To exercise the right to be forgotten, there must be a reason: for example, the data are no longer kept for the purposes that were declared when the data were collected.
But even if there is a reason, the company can argue that there are legitimate interests: for example, if the data processing is necessary for freedom of expression and information.
It is also possible to ask for proof of identity (within reason) if there are justified doubts as to the identity of the person making the request.
A data subject may make a request for erasure :
- electronically (form, e-mail address, etc.)
- by physical means (mail, etc.)
It is essential to do everything possible to enable the person to fully exercise his or her right to erasure, by giving him or her all the information necessary to do so (procedures for exercising rights, data controllers, identity of the DPO, etc.)
To respond to an erasure request, the company has between 1 and 3 months from the initial request if it is deemed legitimate (depending on the complexity of the request).
An internet service provider holds personal data about you which is necessary for the performance of the contract for the provision of internet access and/or which it is obliged to retain for legal reasons (investigation of offences by the judicial authorities, etc.).
Once the contract has expired, this data must be kept by the company in order to protect itself against a lawsuit that could be brought against it, for the duration of the applicable statute of limitations. During this time, exercising the right to erasure would be ineffective: the company can refuse to erase your data.
On the other hand, once all the retention periods have expired, the company is obliged to comply with your request for deletion and to formally confirm that it has done so, on pain of unlawful data processing by the company.
To go further
The right to erasure can only be exercised on the following grounds
- the personal data are no longer necessary for the purposes for which they were collected or processed
- the data subject withdraws the consent on which the processing is based and there is no other legal basis for the processing
- the data subject objects to the processing and there are no compelling legitimate grounds for the processing
- the personal data have been processed unlawfully
- the personal data must be erased in order to comply with a legal obligation laid down by Union law or by the law of the Member State to which the controller is subject
The following justifications allow the data to continue to be processed even in the presence of a legitimate reason, where the processing is necessary
- to respect the exercise of the right to freedom of expression and information
- to comply with a legal obligation which requires processing under Union law or the law of the Member State to which the controller is subject, or to perform a task carried out in the public interest or in the exercise of official authority vested in the controller
- for reasons of public interest in the field of public health
- for archival purposes in the public interest, for scientific or historical research or for statistical purposes
- for the establishment, exercise or defence of legal claims
GDPR right of objection
What is it?
Any individual has the right to object at any time, to the use of his or her personal data by organisations, such as in the case of processing for commercial prospecting purposes. This is the case even if the processing serves a legitimate purpose.
Unlike the right to erasure, by exercising the right to object, the data subject asks the company not to process his or her data in the future, without necessarily requesting that it be erased.
Nevertheless, the right to object is relative. While in the majority of cases the data subject can exercise this right without giving reasons, some processing operations require legitimate reasons to be put forward in order to exercise the right to object. Specifically, the GDPR requires that its exercise be justified by “reasons relating to his or her particular situation”.
Your company sends out a newsletter about its latest news in order to maintain contact with your prospects. The email addresses of your prospects are therefore used for marketing purposes, and are based solely on the consent given to you by those prospects.
The prospects in question must be able to exercise their right of opposition under the GDPR, as soon as they feel that this processing (the use of their email address to send them prospecting messages) is no longer appropriate to them, so that their addresses are removed from the mailing lists.
This is why each email you send should contain an unsubscribe link: by using it, your contacts exercise their right to object, allowing them to oppose the sending of new emails to their addresses with a simple click.
To go further
How to exercise the right to object?
No formality is required. In other words, the data subject can proceed electronically via a specific form or an online account (website), having previously identified the controller.
The exercise of this right is free of charge, and should be possible for any data subject in a simple and intuitive way.
As with all the other rights discussed, it is essential to inform the data subject of the existence of his or her rights, as well as of the procedures for exercising them, for example by means of legal notices.
If there is no response, or an unsatisfactory response after one month, the data subject may decide to refer the matter to the relevant supervisory authority.
What are the limits of the right to object?
Article 38 of the GDPR sets out the limits to the right to object.
If the request to object does not concern commercial prospecting, the controller may justify his refusal on several grounds:
- If there are legitimate and compelling reasons for processing the data or the data are necessary for the establishment, exercise or defence of legal claims
- This right may be waived if the data subject has given his or her contractual consent or if the processing of personal data is based on a legitimate interest
GDPR Right to portability
What is it?
How can you avoid being locked into a contract with a company and recover your personal data in order to change service provider? This is the question that the right to portability answers.
A new right enshrined in the GDPR (since 25 May 2018), the portability request allows data subjects to have the possibility to retrieve their personal data in a structured, commonly used and machine-readable format, so that they can proceed with a data transfer to a new data controller.
The controller must inform data subjects of the existence of this new right in a “concise, transparent, comprehensible and easily accessible manner, in clear and simple terms”, in particular within the legal notice of the company’s website.
Data subjects should be aware of this right before closing an account so that they can transfer their personal data to another controller and start a new data processing.
My company, a supplier of connected TVs, processes the preference data of our customers, in order to offer them more comfort in their daily use. A potential new customer, obviously not satisfied with the services of one of my competitors, contacts my company to get a new connected TV.
But many of his preferences have been saved by the competitor’s system, and it would be impossible or too burdensome for him to save them again manually.
By exercising his right to data portability, he requires the previous provider to provide us with the data in a suitable format to re-enter the customer’s preferences into the new system.