Although the GDPR is directed towards data controllers, its primary focus is protecting data subjects (or users), which is evident in its initial sections. Chapter three of the GDPR documentation identifies eight explicit rights that every European has the right to, which must be upheld by your organization through your data privacy measures. These eight user rights include:
8 GDPR Data Subject Rights
Below is a list of 8 data subject rights under the GDPR:
1. Right to be informed
The right to be informed grants individuals (data subjects) the ability to learn about the personal data being collected about them. They are informed of its purpose, who is collecting it, the duration of its retention, and how the data can be shared or filed. The organization collecting the data (also known as the data controller) is required to provide comprehensive information on the following:
- Contact information for the data controller
- The intended use of the data being collected
- The legal basis for processing personal data
- Details on any third parties involved in the data collection
- The duration of time the data will be retained
- The rights that the data subject holds
- The ability for the data subject to file a complaint
- Whether the individual is legally obligated to provide their personal data.
All of this information must be conveyed in clear and concise language.
2. Right to access
Individuals have the right to request access to their personal information from the organization and find out if it is being processed. The organization must then provide the individual with a copy of their personal data along with the following information:
- The purpose behind processing the data
- The categories of personal data being processed
- Any third parties or international organizations with whom the data is shared
- The duration for which the organization will hold the data (data retention period)
- Details regarding the individual’s GDPR rights (such as the right to rectify, erase, or restrict processing)
- Information on any automated decision-making or profiling
- The source of the collected data (if it was not directly collected from the individual)
3. Right to rectification
Individuals have the right to request the correction of any erroneous or incomplete information that an organization possesses about them. The organization is obligated to respond within one month of a request, confirming that the data is indeed erroneous and making the necessary changes. This right poses fresh challenges for organizations, as rectifying inaccuracies in one dataset can have a ripple effect across the entire database.
4. Right to erasure (or Right to be forgotten)
This particular right enables individuals to request the deletion of their personal data in various situations. These include instances where the data has been processed unlawfully, or the data controller has no valid reason to continue with the processing. There are exceptions that allow organizations to decline such requests, such as situations involving public interest or legal compliance. Whenever a data subject exercises their right to erasure, it is mandatory for the organization in question to inform third parties with which the data was shared and request that they delete the relevant data as well. Unless it can be proven that fulfilling the request is impossible or requires disproportionate effort, adherence to this provision is obligatory. Many companies are required to develop and implement new notification procedures and systems, which complicated existing compliance efforts.
5. Right to restrict processing
Individuals have the right to ask an organization to limit their use of personal data, but this doesn’t automatically mean the data will be deleted. The organization must avoid processing the data if;
- The data is inaccurate
- The processing is illegal but the individual requests limited use (which is not the same as asking for erasure)
- The data controller no longer needs the data but the individual wants to keep it for legal reasons
- The organization is verifying a request to delete data.
Once data is under restriction, the organization cannot process it without the individual’s consent or if it’s necessary for legal claims or for the protection of other people’s rights.
6. Right to data portability
Data portability is a fresh addition to the set of rights granted to data subjects, enabling them to acquire personal data they previously shared with organizations in a structured, machine-readable format that is widely accepted. Furthermore, they can demand that their data be moved straight to another company. This, however, only pertains to data that the individual has previously consented or contracted with the organization (data controller) to collect, and any automated processing must not involve paper. This also pertains to data concerning the actions of the individual, such as search history, location data, website use, and so on.
7. Right to object
In certain situations, individuals have the right to object to the processing of their personal data, depending on the purpose and the lawful basis for processing. This right enables individuals to impede the processing of their data for direct marketing at any time. Moreover, individuals can oppose the processing of their data for reasons of legitimate interest or tasks that serve the public interest.
8. Right not to be subjected to automated decision-making
The GDPR has implemented stringent regulations regarding the handling of personal data through non-human means. This encompasses various forms of profiling that involve specific personal details of an individual, which can predict or analyze their behavior, such as workplace performance, financial standing, health, preferences, interests, trustworthiness, conduct, or location.
Data subjects now have the privilege to refuse automated decision-making, especially if it produces an impactful legal consequence on them. Nevertheless, this right does not apply in certain scenarios such as when processing is required to execute a contract, when authorized by the law, or when processing relies on expressed consent.
How Lepide Helps Complete Data Subject Access Requests
In order to fulfil Subject Access Requests (SARs) the data controllers must have provisions in place to ensure that they are able to locate the relevant personal information in a timely manner. Companies who store large amounts of unstructured data, spread over multiple systems, will likely struggle with this. Fortunately there are solutions available that can make the process of responding to SARs much easier.
The Lepide Data Security Platform comes with an integrated data classification tool that will scan your repositories (both on-premise and cloud-based) and classify personal data as it is found. It can also classify data in accordance with the relevant data privacy regulations, such as the GDPR. Via the intuitive dashboard you can perform searches for all data relating to a specific individual, and even generate a detailed DSAR reports that can be sent to the relevant parties.
If you’d like to see how the Lepide Data Security Platform can help you comply with the GDPR, schedule a demo with one of our engineers.