In legislating for the GDPR the European Union codifies the primacy of data protection in European law. EU law will grant enhanced rights to EU citizens and residents (Data Subjects) which are superior to those enjoyed by citizens or residents of any other major state. These rights can be summarised under two broad headings as the “right of access” and “right to rectification”.
Naturally every right created for one party places obligations on an another party. By enhancing the rights of the citizen, other rights especially the rights of organisations to process data and generate profits are restricted. These restrictions on organisations will be the subject of a different post. This post focuses on the key rights conferred upon EU citizens by the GDPR.
Right of access and right to rectification
The right of access is defined in Article 15 of the GDPR and states “The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed…..”
This article grants Citizens the right to ask corporations and other organisations for a copy of the data being held about them. The legal text continues to explicitly outline six categories of information which must be furnished.
- The purposes of the processing, (The why question)
- The categories of personal data in question. (The what question)
- The recipients or categories of recipient to whom the personal data have been or will be disclosed such as recipients in third countries or international organisations. (The who question)
- If it is possible, the period for which controllers are planning to store the personal data or if it is not possible, the criteria used to determine that period. (The how long question)
- If the personal data are not collected from the data subject, any available information as to its source. (The who else question)
- The existence of automated decision-making, including profiling and at least meaningful information in these cases about the logic involved, the significance of this processing for the data subject, and the envisaged consequences. (The how question)
Once the citizen has received the data they are permitted to act in 2 ways on information received to either request a correction/erasure from the organisation or complain to an outside party.
- The existence of the right to request from the controller rectification or erasure of personal data or restriction of the processing of personal data concerning the data subject or to object to such processing.
- The right to lodge a complaint with a supervisory authority.
This single Article 15 of the GDPR does a good job of summarising the entire 80 + pages. These 6+2 bullets outlined above cover most of what is key in the GDPR from a citizen or resident’s perspective.
A selection of further rights
The right to rectification in Article 16 expands on what is written above when it say:
“The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate
personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.”
Note here the introduction of a supplementary statement in the legal text.
The right to erasure (also known as “the right to be forgotten”) is to be found in Article 17. It can be seen as a logical extension of the right to rectification and mandates that organisations “erase personal data without undue delay” when so requested by a citizen.
If required a citizen can avail of the right to restriction of processing which is contained in Article 18, a step short of erasure. Restriction prevents an organisation processing personal data in any way except for storage. This may be to permit data to be verified after correction, or because data can’t be fully erased for legal reasons.
The right to data laid out in Article 20, means that a citizen can demand their own data from an organisation in a “structured, commonly used and machine-readable format”, which can then be exported to another service provider.
Interestingly Article 22 establishes the right not to be subjected to a decision by an algorithm. Specifically it says:
“The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.”
To vindicate all these rights Article 80, permits Citizens to get not-for-profit bodies, organisations or associations to act on their behalf by lodging complaints, receiving compensation etc. Plus if the citizen has not been successful in deal with the organisation directly Article 77, ensures that data subjects have the right to lodge a complaint with a supervisory authority.
There is also a right to an effective judicial remedy against decisions of supervisory authorities. Article 78 ensures that reviews are not just pro forma processes. Finally Article 79 lays out the right to an effective judicial remedy against a controller or processor.