GDPR an Overview: Data Subject Rights, Remedies, and Terminology
Last time we considered the applicability and the principles of the GDPR. Now we take a closer look at the rights, including but not limited to the right to be informed, the right to erasure, the right to restriction on processing, and the right not to be processed by automated decision-making, and remedies granted to the data subject and some of its terminology, direct and implied—first the rights and remedies:
· Right to be informed: Data subjects have the right to be provided with clear and concise information about the identity and contact details of the data controller and processor, the purposes and legal basis of the processing, the recipients or categories of recipients of the personal data, the existence of the data subject’s rights, and the period for which the personal data will be stored or the criteria used to determine that period.
· Right of access: Data subjects have the right to obtain from the data controller confirmation as to whether or not personal data concerning them are being processed, and, where that is the case, access to the personal data and additional information, such as the purposes of the processing, the categories of personal data concerned, the recipients or categories of recipients of the personal data, the existence of the data subject’s rights, and the source of the personal data if not collected from the data subject.
· Right to rectification: Data subjects have the right to obtain from the data controller without undue delay the rectification of inaccurate personal data concerning them, and to have incomplete personal data completed, taking into account the purposes of the processing.
· Right to erasure: Data subjects have the right to obtain from the data controller the erasure of personal data concerning them without undue delay, and the data controller must erase personal data without undue delay, where one of the following grounds applies: the personal data are no longer necessary to the purposes for which they were collected or otherwise processed; the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing; the data subject objects to the processing and there are no overriding legitimate grounds for the processing; the personal data have been unlawfully processed; the personal data have to be erased for compliance with a legal obligation; or the personal data have been collected in relation to the offer of information society services to a child.
· Right to restriction of processing: Data subjects have the right to obtain from the data controller restriction of processing, where one of the following applies: the accuracy of the personal data is contested by the data subject, for a period enabling the data controller to verify the accuracy of the personal data; the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead; the data controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise, or defence of legal claims; or the data subject has objected to the processing pending the verification whether the legitimate grounds of the data controller override those of the data subject.
· Right to data portability: Data subjects have the right to receive the personal data concerning them, which they have provided to a data controller, in a structured, commonly used, and machine-readable format, and have the right to transmit those data to another data controller without hindrance from the data controller to which the personal data have been provided, where the processing is based on consent or a contract and the processing is carried out by automated means.
· Right to object: Data subjects have the right to object, on grounds relating to their particular situation, at any time to the processing of personal data concerning them, where the processing is based on the legitimate interests of the data controller or on a task carried out in the public interest or in the exercise of official authority vested in the data controller, or where the processing is for direct marketing purposes or scientific, historical, or statistical purposes. The data controller shall no longer process the personal data unless the data controller demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject or for the establishment, exercise, or defence of legal claims.
· Right not to be subject to automated decision-making: Data subjects have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them, unless the decision is necessary for entering into or performing a contract between the data subject and the data controller, or is authorized by law, or is based on the data subject’s explicit consent. In such cases, the data subject has the right to obtain human intervention from the data controller, to express their point of view, and to contest the decision.
Remedies
GDPR remedies allow data subjects to lodge complaints with a supervisory authority and the right to an effective judicial redress against a data controller or processor. Moreover, the GDPR allows data subjects to bring a class action for compensation for damages resulting from an infringement of the GDPR. redress
The GDPR imposes strict obligations and responsibilities on data controllers and processors and empowers supervisory authorities to monitor and enforce compliance with the GDPR. The GDPR also establishes a mechanism for cooperation and consistency among supervisory authorities across the EU, and a role for the European Data Protection Board as an independent body that issues guidelines, recommendations, and best practices on the application of the GDPR. The GDPR also sets out rules for the transfer of personal data to third countries or international organizations, which must ensure an adequate level of data protection or provide appropriate safeguards, such as binding corporate rules, standard contractual clauses, or certification mechanisms.
The GDPR is a momentous legislation that has a significant impact on the data protection landscape in the EU and beyond. It aims to protect the fundamental rights and freedoms of individuals in the digital age and to foster a culture of accountability and transparency among data controllers and processors. The GDPR also seeks to create a single market for data and to facilitate the free flow of personal data within the EU and with third countries that offer adequate protection. The GDPR is a complex and comprehensive law that requires a high level of awareness and compliance from all stakeholders involved in the processing of personal data.
Terminology
GDPR Main Terminology | Explanation |
Data Analyst | Someone skilled at analysing data |
Data Breach | The unauthorized or unlawful access, disclosure, alteration, or loss of personal data |
Data Controller or Business | The entity that determines the purposes and means of the processing of personal data |
Data Fluency | Like being fluent in a language, data fluency enables people to express ideas about data in a shared language. In a business context, data fluency connects employees across roles through a set of standards, processes, tools and terms. |
Data Processor or Service Provider | The entity that processes personal data on behalf of the data controller |
Data Subject OR Consumer | The individual whose personal data are processed |
EU Directive | Applicable to all Member States Sets certain aims, requirements and concrete results that must be achieved in every Member State Sets a process for it to be implemented by Member States National authorities must create or adapt their legislation to meet these aims by the date specified in each given Directive |
EU Regulation | Immediately applicable and enforceable by law in all Member States As good practice, Member States issue national legislation that defines the competent national authorities, inspection and sanctions on the subject matter. |
Information society service | A service provided at a distance, by electronic means and at the individual request of a recipient of services. |
Personal data or information | Any information that can identify or relate to a natural person, either directly or indirectly |
Conclusion
The GDPR is a momentous legislation that has a significant impact on the data protection landscape in the EU and beyond. It provides data subjects with the right to be informed, right of access, right to rectification, right to erasure, right to restriction of processing, right to data portability, right to object, right not to be subject to automated decision-making, and the right to lodge a complaint with a supervisory authority. The legislation imposes strict obligations and responsibilities on data controllers and processors. Towards that end, it defines several terms and implies others, such as personal data, data subject or consumer, data controller, data processor, data breach, data fluency, data analyst, EU Directive, EU Regulation, &c. It also sets out rules for the transfer of personal data to third countries or international organizations. Next time we look at international issues and challenges consequent on the GDPR.
–Richard Thomas
Previous, Part II
Next, Part IV
