Course sections

DATA SUBJECTS RIGHTS, Lecture 1

DATA SUBJECTS RIGHTS

  1. Right to Personal Data Access

Although the General Regulation represents a comprehensive legal act, it was created to simplify and strengthen the exercise of the rights of the data subject. Among other things, the Regulation prescribes that each individual has the right to access information on how personal data relating to them is collected, used, provided or otherwise processed, as well as to what extent such personal data are being processed and for wich purpose.

  1. Right to be informed (transparency)

One of the basic principles prescribed in the General Regulation is transparent processing of personal data with respect to the data subject. Transparency is a comprehensive principle that embraces three central areas in the process of receiving personal data, namely: how data controllers provide information to data subjects about fair processing, how data controllers communicate with data subjects in relation to their rights, and how data controllers simplify  exercising of data subjects rights.
Thus, the emphasis is on simplifying the process of searching for the information and also how the information is provided to the data subjects. Specifically, this means that this information should be presented in a concise, transparent, intelligible way and drafted in clear and plain language, especially when it comes to processing of childrens personal data.

  1. Right to rectification

One of the fundamental principles of personal data processing prescribed by the General Regulations is rectification. This principle is about the need for accurate and up-to-date information, which includes the obligation of the data controller to take every reasonable measure to enable the data subject to delete personal data that is inaccurate or invalid.
The data subject has the right, without unnecessary delay, ask the data controller for the correction of inaccurate data related to him. If the data subject considers that his or her personal data may be inaccurate, incomplete or imprecise, he may apply to the company or organization to correct such data. The data controller must do this without unnecessary delays (in principle within one month) or in written form explain why the request can not be carried out.

Example:
A credit bureau processes information provided by your former landlord whereby it is stated that you owe him 3 months’ rent. You have just won a legal dispute and his claim for the 3 months’ rent was ruled to be unfounded. You may ask the credit bureau to correct the data it holds about you so that you aren’t put at a disadvantage in the future when credit requests are processed.

  1. Right to erasure (‘right to be forgotten’)

You can ask for your personal data to be deleted when, for example, the data the company holds on you is no longer needed or when your data has been used unlawfully.
This right also applies online and is often referred to as the ‘right to be forgotten’. In specific circumstances, you may ask companies that have made your personal data available online to delete it. Those companies are also obliged to take reasonable steps to inform other companies (controllers) that are processing the personal data that the data subject has requested the erasure of any links to, or copies of, that personal data.
The verdict of the Court of Justice of the European Union in case of Google vs Costeja C-131/12 of 13 May 2014 introduced a kind of news and step forward in the struggle of an individual for his right to privacy. However, verything started when Mario Costeja complained to Google in 2011 that after listing his name and surname in the search results, his personal data appeared next to the picture of his house that was placed on the public auction. In the meantime he has repaid his house. After five years of searching for deleting disputible data from the Google search engine, the European Court of Justice made a verdict in his favour and ordered Google to delete disputed and outdated information from the search results that not only represent an invasion to private life but also damages to reputation of mr Costeja.
This verdict enabled individuals to submit the request to the internet search engine to permanently remove certain search results that include personal data related to them (name, surname, address, phone number, etc.), inter alia, when personal data is no longer necessary in relation to the processing, the respondent withdrew his consent for data processing, in case personal data is processed unlawfully, etc.
Also, this right is not absolute and is not applicable in cases where data as a search result are not necessary for the exercise of the right to freedom of expression and freedom of information, in order to respect legal obligations, to carry out tasks of public interest on the basis of public interest in the field of public health, for the purposes of archiving public interest, etc.
Thus, this right has limitations and does not apply for example, to politicians as persons working in the public interest can not ask for the deletion of information given in the context of their political activity.

Example:
When you do an online search using your name and surname the results show a link to a newspaper article. The information in the newspaper dates back a number of years and is related to an issue – a real-estate auction connected with debt recovery proceedings – settled a long time ago that is now irrelevant. If you are not a public figure and your interest in having the article removed outweighs the general public’s interest in having access to the information then the search engine is obliged to remove links to web pages including your name and surname from the results.

  1. Right to restriction of processing

Each data subjects has the right to request from the data controller to obtain a limit on the processing of personal data relating to him/her in a way that they are not deleted from a particular database but shall stop their processing for a particular purpose.
This right can be exercised when the accuracy of the data concerned is denied, if the processing is illegal and the data subject does not want to delete the data, if the data is no longer needed for the original purpose (but can not yet be deleted for legal reasons) and if the respondent files a complaint and is awaiting for an answer.
Generally speaking, in cases where it’s unclear whether and when personal data will have to be deleted, you may exercise your right to restriction of processing. That right can be exercised when the accuracy of the data in question is contested, you don’t want the data to be erased, the data is no longer needed for the original purpose but may not be deleted yet because of legal grounds, the decision on your objection to processing is pending.

Example:
A new bank on the domestic market offers good home loan deals. You are buying a new house and so decide to switch banks. You ask the ‘old’ bank to close down all accounts and request to have all your personal details deleted. The old bank, however, is subject to a law obliging banks to store all customer details for 10 years. The old bank is legally obliged to store your data but you can still ask for restriction of the data to make sure that it’s not accidentally used for unwanted purposes.

  1. Right to data portability

Every citizen has the right to choose the service provider independently on the basis of a new right – right to data portability, by exercising this right the data subjects are allowed to ask from one data controller to provide the personal data in a structured, commonly used and machine- readable format to another data controller.
This right allows for the direct transfer of personal data from one data controller to another, which in turn facilitates the change of service providers and, secondly, encourages the development of new services in the context of the free flow of personal data within the EU. This right could mistakenly be replaced with the right to access to personal data but while in this right personal data is directly provided to data subject, the right to portability indicates the link between the two data controllers upon data subjects request.
This right shall not apply to the processing necessary to carry out public interest tasks or to perform the official authority conferred to the data controllers.

Example:
You are a member of an online social media network. You decide that a new rival social media network is better suited to your aims and age-group. You can ask your current online social media network to transfer your personal data, including your photos, to the new social media network.

  1. Right to object

The business formula of success is gaining competitive advantage in the market and maximizing the profit. Business forms in the digital age are based on the processing of large amounts of personal data, and often on personalized offering of services such as direct marketing. In other words, the goal of each service provider is to know the user’s habits when choosing a service and to offer the product / service exactly to the data subject.
In this regard, the Regulation stipulates that if your personal data is processed for direct marketing purposes, you have the right to object to the processing of personal data relating to you for the purposes of such marketing, including the profiling to the extent that relates to the above mentioned direct marketing.
This right is also not absolute and the data controller does not have to act upon your request if he proves that there are justified reasons for processing such data that goes beyond the rights and freedoms of the individual or for the purpose of exercising or defending the legal requirements.

Example:
You bought two tickets to see your favorite band play live through an online ticketing company.  Afterwards, you are bombarded with adverts for concerts and events that you’re not interested in. You inform the online ticketing service company that you don’t want to receive further advertising material. The company should stop processing your personal data for direct marketing and, shortly afterwards, you should no longer receive emails from them. They shouldn’t charge you for this.

  1. Right regarding the automated individual decision-making, including profiling

Automated decision making is a decision that occurs when deciding on individuals is made with a technological means without the capability of human intervention. The form of automated processing of personal data is now an omnipresent creation of profile or “profiling.” The profile is created when your personal data and habits are tracked and collected in order to predict further behaviors, even if no decision is made. It is not a novelty that profiling and automated decision-making are often used in various sectors (eg banking, financial, health and the like) and although it seems to be an effective aspect of business it is a form of personal data processing that can limit the choice of data subjects and also this kind of processing is less transparent.
The data protection law establishes that you have the right not to be subject to a decision based solely on automated means, if the decision produces legal effects concerning you or significantly affects you in a similar way.
Although, as a general rule, you may not be the subject of a decision based solely on automated processing, this type of decision-making may exceptionally be allowed if the use of algorithms is allowed by law and suitable safeguards are provided.

Example:
You use an online bank for a loan. You are asked to insert your data and the bank’s algorithm tells you whether the bank will grant you the loan or not and gives the suggested interest rate. You must be informed that you may express your opinion, contest the decision and demand that the decision made via the algorithm be reviewed by a person.