Updated: Apr 13, 2020
The main goal of the GDPR has always been about the rights of data subject like rights to access and rectification, data portability and restriction of processing to name a few. With that said, let us discuss the rights that have been imposed by the regulation where sample scenarios will be given and its application.
For starters, let us first discuss the Right of Access by the Data Subject:
The third chapter of the regulation tackles the rights of data subjects. In Articles 13-15, provisions on the right of access to personal data are written. The right to rectification is found on Chapter IV, Article 16 of GDPR.
While the right of access has long existed even before GDPR, the regulation, however, brought some new guidelines with regards to this matter. For example, the response time is reduced from 40 days to only 1 month in request from a data subject to access data. Fees are prohibited from being given to data subjects should they choose to exercise this right. If, however, what the data subject is asking for is excessive or rather unreasonable when it comes to the number of requests, controllers are allowed to designate an appropriate fee per requests of the data subject or just plainly deny access.
Controllers, however, are still responsible for having concrete proof that the data subject’s request is excessive or unfounded. If the controller decides to not give permission to access, he/she is obligated to provide for a valid reason within one month after the request. If the controller allows the request of the data subject, their given answer should be brief, apparent, understandable and can easily be accessed. All the information should be provided in the form by either written or electronic means.
But what types of data are the data subjects have the right to access?
In Article 15 of GDPR, the outline for the type of information that controllers can provide is given. First and foremost, data subjects have the right to access information about the reason for processing their data and the categories of personal data that will be used. Furthermore, this information should also be present in the forms when asking for consent. If the data subject is still sceptical about the processing, they have the rights to ask for the information again. The receivers of the data is also another information that should be disclosed to the data subjects particularly if the transaction of the process involves countries and organizations outside of the EU.
Controllers should also inform the data subjects about their vision for the time period where the data will be stored OR the criteria that they are using to identify the specific period. Automated decision making of any kind should be disclosed to the data subjects including profiling. Data subjects also have the right to a free copy of their data unless it would also interfere with the rights and freedom of other data subjects.
If you’re still wondering as to why data subjects would request such data, here are some examples as to why this might be: in the case of names that sound the same but are spelt differently, like Britney or Brittany. Another example is when a data subject is in doubt about the transparency of the processing of their data. In order to remove doubts about the use of their data, controllers should provide the information necessary to verify that the consent given to the data subjects was what the purpose of the processing really was. It is important for controllers to also be cautious and vigilant on the identity of the data subject to ensure that they’re not disclosing information to any impostors and prevent possible breaches from happening.
Should the data subject decide to rectify, GDPR’s Article 16 states:
THE DATA SUBJECT SHALL HAVE THE RIGHT TO OBTAIN FROM THE CONTROLLER WITHOUT UNDUE DELAY THE RECTIFICATION OF INACCURATE PERSONAL DATA CONCERNING HIM OR HER. TAKING INTO ACCOUNT THE PURPOSES OF THE PROCESSING, THE DATA SUBJECT SHALL HAVE THE RIGHT TO HAVE INCOMPLETE PERSONAL DATA COMPLETED, INCLUDING BY MEANS OF PROVIDING A SUPPLEMENTARY STATEMENT.
Data subjects have the right to rectify when any of their given information is incorrect and/or. If for example, the rectification is necessary due to the tampering of the information of the data subject like their address, rectification should be effective within one month. If, and only if, the case is complicated and requires an ample amount of time to process, controllers have the right to ask for an extension for up to 2-3 months.
In conclusion, the right to access and right to rectification are mutually exclusive. The most significant changes that the General data and Protection regulation brought to these rights is the shorter time frame of the implementation. The “no fee” rule is also an indicator of their goal to return the data subject’s power over their personal data.