Getting to know the GDPR, Part 4 – "Souped-up" individual rights.

A key area of proposed change under the General data Protection Regulation ("GDPR") relates to individual rights. The proposal is both to refresh individuals' existing rights, by clarifying and

Posted on 28 November 2015 (updated 4 March 2016).

A key area of change under the General Data Protection Regulation (“GDPR“) relates to individual rights. The GDPR refreshes individuals’ existing rights by clarifying and extending them, and introduces new rights. Most notably, the GDPR creates three new rights: the “right to be forgotten”, “right to restriction of processing” and the “right to data portability”.

What does the law require today? 

Currently, individuals have the following rights under the Data Protection Directive:

• The right to object to the processing of personal data exists in two situations.
  • Right to object to the processing of personal data: The data subject can object at any time on compelling legitimate grounds relating to his particular situation to the processing of data relating to him, save where otherwise provided by national legislation.
  • The data subject also has the right to object, on request and free of charge, to the processing of personal data relating to him for purposes of direct marketing activities.
• The right of access – this right permits individuals to query the data controller as to whether personal data related to them are being processed. Upon request, the data controller must also provide a copy of any such personal data. This copy must be provided without excessive delay and may be subject to payment of a small fee;
• The right to rectification, erasure or blocking of data – this right can only be exercised when the processing is not in compliance with the Data Protection Directive;
• The right not to be subjected to solely automated processes – this right applies where such processes evaluate the individual’s personal attributes, resulting in a decision that significantly affects him or has legal consequences for him.

The Data Protection Directive also requires the data controller to provide individuals with fair and transparent information about the processing of their personal data, including: the identity of the controller and of his representative; the purposes of the processing for which the data are intended; and any further information that is necessary to guarantee fair processing in respect of the data subject such as:

• the recipients or categories of recipients of the data,
• whether replies to the questions are obligatory or voluntary, as well as the possible consequences of failure to reply, and
• the existence of the right of access to and the right to rectify the data concerning him.

What will the General Data Protection Regulation require?

Proposed extension of existing rights

Most proposed modifications to the existing rights bring clarity without extending them too much.

• Under the GDPR, the obligation of the controller to inform the individuals has become aright to be provided with fair processing information. The bottom line is that the data controller will need to provide more detailed information, such as the source of the data and the retention period. In addition, the GDPR requires this information to be provided in an intelligible form, using clear and plain language that is adapted for the individual. The practical effect of this requirement is that policies will need to be drafted differently depending on whether they are aimed at children or adults.
• Regarding the right of access, under the GDPR, data controllers will be required to provide additional information to individuals (e.g. storage period of the data). Further, the proposed new requirements are somewhat more burdensome for businesses – in particular, businesses will need to set up a specific process in order to deal with access requests. Further, unless the request is “manifestly excessive“, data controllers will in principle be obliged to provide the information free of charge. This is an important change for countries that currently allow data controllers to charge a nominal fee for providing access to data. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. The data controller must also provide a copy of the data in electronic form upon request by the data subject.
• The rectification right is mostly the same and the changes will have very limited practical impact.
• More significantly, the right to object is now broader as, when the processing is based on the legitimate interests of the controller or is undertaken for direct marketing purposes, the individual can object without having to provide specific justifications.

Proposed new rights

A controversial right from the start, the proposed right to be forgotten was influenced by the CJEU’s decision in the Costeja v. Google case. In the final compromise text, the right to erasure applies in the following scenarios:

• The data are no longer needed for the original purpose;
• The data subject has withdrawn his/her consent and there are no other grounds for the processing of the data;
• The data subject has objected to the processing;
• A legal obligations requires the erasure of the data;
• The processing is unlawful;
• The data have been collected in relation to the offering of information society services to a child.

One of the controversial aspects of the right to be forgotten was the proposed obligation for the data controller who made the personal data public to take all reasonable steps to inform third parties which are processing such data, that the data subject requested the erasure of such data. The European Parliament suggested an ever stricter obligation, whereas the European Commission did not want to include such an obligation to liaise with third parties in any event.

The parties to the trilogue eventually agreed to a slightly watered-down version of the mechanism initially proposed by the European Commission: where the data controller has made the data subject’s personal data publicly available, it must take reasonable steps to inform third party controllers who are processing the data that the data subject has requested erasure of the data and any links to it. Such reasonable steps must take into account the available technology and the cost of implementation.

Several exceptions may apply to this right, for example, in relation to freedom of expression, tasks that are carried out in the public interest or for scientific or research purposes.

In addition, where a data subject has requested the rectification, erasure or restriction of processing of his personal data, the data controller also has an obligation to inform recipients of that data, unless this proves impossible or involves disproportionate effort.

The GDPR also introduces a new right to restriction of processing. This restriction can apply in different scenarios such as the contestation of the accuracy of the data, the unlawfulness of the processing or where there is an objection to the processing of the data.

When this right has been exercised by a data subject, with the exception of storage, the controller may only continue the processing of the data for legal claims purposes or with the consent of the data subject. According to recital 54(a), restriction of processing may be achieved by making the data unavailable to users or by temporarily removing published data from a website.

The other new right is the right to data portability. This right was created in order to improve the interoperability of data processing systems and to prevent data subjects from finding themselves “locked-in” to a particular service provider. This right puts a heavy burden on the data controller as it requires providing personal data to the data subject in a structured and commonly used format. Where technically feasible, the data subject can also require the data controller to transmit his or her personal data directly to another controller. However, this right is limited to cases where the data processing is based on the consent of the data subject, a contractual necessity or where the processing is carried out by automated means. Further, it relates only to personal data that the data subject has “provided” to the data controller (such as photos uploaded to a photo sharing service), so does not necessarily apply to all personal data that the data processor may process.

Finally, the GDPR now contains a definition of profiling and it requires explicit consent for automated processing (including profiling) which produces a legal effect or significantly affects an individual. This topic will be discussed in further detail in the contribution that specifically deals with big data analytics and profiling.

What are the practical implications?

• All businesses will have to update and revamp their privacy policies and data protection notices to make sure that the extended rights are properly addressed. Businesses should check that the data protection notices that they provide to individuals contain all the required information and are drafted using clear and plain language.
• Businesses will need to assess whether they should put in place new or updated processes and procedures to deal with the practical implications of the extended rights, e.g. a specific data procedure for dealing with access requests.
• The right to erasure, the right to restriction of the processing and the right to data portability will require significant changes to companies’ operational processes and IT systems to ensure data subject can exercise those rights effectively. Needless to say that it will not be easy for data controllers to comply with their obligation to take reasonable steps to inform third parties of the request to have data erased, especially if the data has gone viral.