The General Data Protection Regulation (GDPR) is set to replace the Data Protection Directive 95/46/ec effective May 25, 2018. The GDPR is directly applicable in each member state and will lead to a greater degree of data protection harmonization across EU nations.
Although many companies have already adopted privacy processes and procedures consistent with the Directive, the GDPR contains a number of new protections for EU data subjects and threatens significant fines and penalties for non-compliant data controllers and processors once it comes into force in the spring of 2018.
With new obligations on such matters as data subject consent, data anonymization, breach notification, trans-border data transfers, and appointment of data protection officers, to name a few, the GDPR requires companies handling EU citizens’ data to undertake major operational reform.
This is the sixth in a series of articles addressing the top 10 operational impacts of the GDPR.
Enhancing existing individual rights and creating new rights to be forgotten and to data portability
As part of its effort to expand individual control over the use of personal data, the GDPR introduces two new rights. First, the regulation codifies a right to be forgotten, following on the recognition of a similar right by a 2014 case from the European Court of Justice. This right allows individuals to request the deletion of personal data, and, where the controller has publicized the data, to require other controllers to also comply with the request. Second, the right to data portability requires controllers to provide personal data to the data subject in a commonly used format and to transfer that data to another controller if the data subject so requests.
The GDPR also augments the existing rights of data subjects to receive notice about processing activities, gain access to the information that is being processed, and to have the controller rectify inaccuracies. The data subject’s right to object to processing is broader than under the Directive, moreover, allowing her to object to processing at any time, unless the controller has compelling legitimate grounds.
To keep up with the augmented rights under the regulation, data controllers will have to implement processes for handling and documenting requests from data subjects.
A right to erasure and the right to be forgotten
In a significant departure from Directive 95/46/ec, the GDPR recognizes a “right to erasure.” This right builds on and expands the so-called “right to be forgotten” recognized by the European Court of Justice in its Google Spain v. AEPD and Mario Costeja González ruling in 2014. There, the Court required search engines, upon a person’s request, to remove links to webpages that appear when searching that person’s name unless “the preponderant interest of the general public” in having access to the information justifies the search engine’s refusal to comply with the request.
The GDPR for the first time codifies the right and applies it to all controllers. Under Article 17, controllers must erase personal data “without undue delay” if the data is no longer needed, the data subject objects to the processing, or the processing was unlawful. Recital 65 explains that this right is especially relevant when a child consents to processing and later wants to remove the information, even if he is no longer a child. However, the right is not unlimited. It must be balanced against freedom of expression, the public interest in health, scientific and historical research, and the exercise or defense of legal claims.
The right to erasure extends additional obligations to any controller that makes personal data public, especially online. Where a data subject requests the erasure of data that has been made public, the controller must take “reasonable steps” to inform other controllers that are processing the data about the person’s objection, unless it would require “disproportionate effort.” Any controller processing the data must then erase copies of it or links to it. Whether the steps taken are “reasonable” will depend on the available technology and the cost of implementation.
Article 18 establishes a procedure for when there is disagreement over whether the right to erasure applies. The data subject is entitled to seek the “restriction of processing” for the time needed to verify whether information is accurate if she contests its accuracy. The data subject also may request a restriction where the controller no longer needs the data, but the data subject needs it for a legal claim. Finally, he may request a restriction where he has objected to processing but the controller seeks to prove it has compelling legitimate grounds for overriding the objection.
When a data subject requests the restriction of processing, the controller should temporarily remove the data from a general filing system or from a public website so as to avoid further processing. Recital 67 specifies that controllers should flag the restricted data in a way that makes clear that processing is restricted.
A new right to data portability
One of the responses of the GDPR to the so-called “Big Data” trend is the creation of a new right to data portability that aims to increase user choice of online services.
Where controllers process personal data through “automated means,” Article 20 grants data subjects the right to receive the personal data concerning them. Controllers must provide the data in a commonly used and “machine-readable” format, and data subjects have the right to transmit that data to any other controller. Where feasible, the controller may even be required to transmit the data directly to a competitor. However, Recital 68 specifies that it does not impose an obligation for controllers to adopt processing systems that are technically compatible.
The right to data portability applies only when processing was originally based on the user’s consent or on a contract. It does not apply to processing based on a public interest or the controller’s legitimate interests.
Enhanced rights to notice, access, rectification and to object to processing
Under the Directive, controllers had to provide data subjects with certain minimum information before collecting personal data. These disclosures included the identity of the controller, the purposes of processing, and any recipients of personal data. The Directive also provided data subjects with a right of access to data, which required controllers to confirm what data they were processing and the logic involved in any automatic processing operations. If a controller processed information in violation of the Directive, data subjects could block the processing and request the erasure or rectification of the data. Data subjects could also object in narrow circumstances where they could demonstrate compelling legitimate grounds or where the data was used for direct marketing.
The GDPR increases the number of disclosures a controller must make before collecting personal data. In addition to the identity of the controller, the purposes for processing, and any recipients of personal data, Article 13 requires controllers to disclose how long the data will be stored. Controllers also must inform data subjects of the right to withdraw consent at any time, the right to request access, rectification or restriction of processing, and the right to lodge a complaint with a supervisory authority. Furthermore, these disclosures must be intelligible and easily accessible, using clear and plain language that is tailored to the appropriate audience. Thus, policies aimed at children will have to be drafted in a way that children can understand. For controllers that receive the data from a source other than the data subject – from another controller or a public record, for instance – disclosure is not necessary if it would require a “disproportionate effort.”
Article 15 establishes a right of access that is more robust than what was required by the Directive. Users will have a right to request a copy of their personal data undergoing processing. They may also request to know the purposes of processing, the period of time for which data will be stored, the identity of any recipients of the data, the logic of automatic data processing, and the consequences of any profiling. Controllers will have to set up processes for responding for access requests and, in particular, for verifying the identity of a data subject who requests access. Recital 63 recognizes, however, that the right of access needs to be balanced against other rights, such as intellectual property, trade secrecy and copyright protections for software. In cases where the controller processes “a large quantity of information” about the data subject, it may require the data subject to specify the information or processing activities at issue in the request.
The right to object to processing is significantly expanded under Article 21. Whereas under the Directive, a data subject could only object to processing where she could demonstrate compelling legitimate grounds, the GDPR flips the burden, allowing a data subject to object any time processing is based on public interest (Article 6(1)(e)) or the legitimate interests of the controller (Article 6(1)(f)), unless the controller demonstrates compelling legitimate grounds. This is in addition to the data subject’s right to withdraw consent whenever processing is based on consent. Like the Directive, the GDPR also allows a data subject to object to processing for direct marketing at any time and Article 16 grants the right to correct inaccurate information.
Businesses will need to implement effective user interfaces
In the process of heightening user control over data, these expanded rights will create new challenges for controllers to implement systems that are responsive to user requests concerning their data. To this end, Article 12 requires controllers to provide “modalities” to facilitate the exercise of data subject rights. These modalities likely will include user interfaces and customer support services.
Controllers should communicate with data subjects “in a concise, transparent, intelligible and easily accessible form, using clear and plain language.” Where a data subject seeks to exercise one of the above rights, the controller must take the appropriate action “without undue delay” or at the latest within a month of the request. The controller may, however, seek an extension “where necessary” because of a high number of requests. If the controller opts not to grant the request, it must explain its decision to the data subject within one month. All these services must be free of charge, unless the requests are “manifestly unfounded or excessive.”
Controllers will face a difficult challenge in trying to authenticate users to process their requests. Article 12 provides that a controller may refuse to act on a request if it “demonstrates that it is not in a position to identify the data subject.” On the other hand, if it has “reasonable doubts” about the identity of the person making a request, it can ask the person for additional information to confirm his or her identity. Recital 57 lends little in the way of clarity: Controllers are not required to take additional information in order to identify the data subject, but they also should not refuse to take such information if the data subject offers it in the exercise of his rights.
Controllers will have to be thoughtful in implementing systems that on the one hand minimize the collection of data while on the other hand ensure accurate authentication to avoid abuse. The GDPR requires companies that engage in “regular and systematic monitoring of data subjects on a large scale” to appoint data protection officers with responsibility for overseeing these systems.
For these companies, managing access requests and the right to be forgotten likely will be a major focus for their new DPOs.
Looking to dive deeper into the General Data Protection Regulation to read the text regarding data subject rights for yourself? Find the full text of the Regulation here in our Resource Center.
You’ll want to focus on these portions:
(57) If the personal data processed by a controller do not permit the controller to identify a natural person, the data controller should not be obliged to acquire additional information in order to identify the data subject for the sole purpose of complying with any provision of this Regulation. However, the controller should not refuse to take additional information provided by the data subject in order to support the exercise of his or her rights. Identification should include the digital identification of a data subject, for example through authentication mechanism such as the same credentials, used by the data subject to log-in to the on-line service offered by the data controller.
(58) The principle of transparency requires that any information addressed to the public or to the data subject be concise, easily accessible and easy to understand, and that clear and plain language and, additionally, where appropriate, visualisation be used. Such information could be provided in electronic form, for example, when addressed to the public, through a website. This is of particular relevance in situations where the proliferation of actors and the technological complexity of practice make it difficult for the data subject to know and understand whether, by whom and for what purpose personal data relating to him or her are being collected, such as in the case of online advertising. Given that children merit specific protection, any information and communication, where processing is addressed to a child, should be in such a clear and plain language that the child can easily understand.
(59) Modalities should be provided for facilitating the exercise of the data subject’s rights under this Regulation, including mechanisms to request and, if applicable, obtain, free of charge, in particular, access to and rectification or erasure of personal data and the exercise of the right to object. The controller should also provide means for requests to be made electronically, especially where personal data are processed by electronic means. The controller should be obliged to respond to requests from the data subject without undue delay and at the latest within one month and to give reasons where the controller does not intend to comply with any such requests.
(60) The principles of fair and transparent processing require that the data subject be informed of the existence of the processing operation and its purposes. The controller should provide the data subject with any further information necessary to ensure fair and transparent processing taking into account the specific circumstances and context in which the personal data are processed. Furthermore, the data subject should be informed of the existence of profiling and the consequences of such profiling. Where the personal data are collected from the data subject, the data subject should also be informed whether he or she is obliged to provide the personal data and of the consequences, where he or she does not provide such data. That information may be provided in combination with standardised icons in order to give in an easily visible, intelligible and clearly legible manner, a meaningful overview of the intended processing. Where the icons are presented electronically, they should be machine-readable.
(61) The information in relation to the processing of personal data relating to the data subject should be given to him or her at the time of collection from the data subject, or, where the personal data are obtained from another source, within a reasonable period, depending on the circumstances of the case. Where personal data can be legitimately disclosed to another recipient, the data subject should be informed when the personal data are first disclosed to the recipient. Where the controller intends to process the personal data for a purpose other than that for which they were collected, the controller should provide the data subject prior to that further processing with information on that other purpose and other necessary information. Where the origin of the personal data cannot be provided to the data subject because various sources have been used, general information should be provided.
(62) However, it is not necessary to impose the obligation to provide information where the data subject already possesses the information, where the recording or disclosure of the personal data is expressly laid down by law or where the provision of information to the data subject proves to be impossible or would involve a disproportionate effort. The latter could in particular be the case where processing is carried out for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. In that regard, the number of data subjects, the age of the data and any appropriate safeguards adopted should be taken into consideration.
(63) A data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing. This includes the right for data subjects to have access to data concerning their health, for example the data in their medical records containing information such as diagnoses, examination results, assessments by treating physicians and any treatment or interventions provided. Every data subject should therefore have the right to know and obtain communication in particular with regard to the purposes for which the personal data are processed, where possible the period for which the personal data are processed, the recipients of the personal data, the logic involved in any automatic personal data processing and, at least when based on profiling, the consequences of such processing. Where possible, the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to his or her personal data. That right should not adversely affect the rights or freedoms of others, including trade secrets or intellectual property and in particular the copyright protecting the software. However, the result of those considerations should not be a refusal to provide all information to the data subject. Where the controller processes a large quantity of information concerning the data subject, the controller should be able to request that, before the information is delivered, the data subject specify the information or processing activities to which the request relates.
(64) The controller should use all reasonable measures to verify the identity of a data subject who requests access, in particular in the context of online services and online identifiers. A controller should not retain personal data for the sole purpose of being able to react to potential requests.
(65) A data subject should have the right to have personal data concerning him or her rectified and a ‘right to be forgotten’ where the retention of such data infringes this Regulation or Union or Member State law to which the controller is subject. In particular, a data subject should have the right to have his or her personal data erased and no longer processed where the personal data are no longer necessary in relation to the purposes for which they are collected or otherwise processed, where a data subject has withdrawn his or her consent or objects to the processing of personal data concerning him or her, or where the processing of his or her personal data does not otherwise comply with this Regulation. That right is relevant in particular where the data subject has given his or her consent as a child and is not fully aware of the risks involved by the processing, and later wants to remove such personal data, especially on the internet. The data subject should be able to exercise that right notwithstanding the fact that he or she is no longer a child. However, the further retention of the personal data should be lawful where it is necessary, for exercising the right of freedom of expression and information, for compliance with a legal obligation, for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, on the grounds of public interest in the area of public health, for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, or for the establishment, exercise or defence of legal claims.
(66) To strengthen the right to be forgotten in the online environment, the right to erasure should also be extended in such a way that a controller who has made the personal data public should be obliged to inform the controllers which are processing such personal data to erase any links to, or copies or replications of those personal data. In doing so, that controller should take reasonable steps, taking into account available technology and the means available to the controller, including technical measures, to inform the controllers which are processing the personal data of the data subject’s request.
(67) Methods by which to restrict the processing of personal data could include, inter alia, temporarily moving the selected data to another processing system, making the selected personal data unavailable to users, or temporarily removing published data from a website. In automated filing systems, the restriction of processing should in principle be ensured by technical means in such a manner that the personal data are not subject to further processing operations and cannot be changed. The fact that the processing of personal data is restricted should be clearly indicated in the system.
(68) To further strengthen the control over his or her own data, where the processing of personal data is carried out by automated means, the data subject should also be allowed to receive personal data concerning him or her which he or she has provided to a controller in a structured, commonly used, machine-readable and interoperable format, and to transmit it to another controller. Data controllers should be encouraged to develop interoperable formats that enable data portability. That right should apply where the data subject provided the personal data on the basis of his or her consent or the processing is necessary for the performance of a contract. It should not apply where processing is based on a legal ground other than consent or contract. By its very nature, that right should not be exercised against controllers processing personal data in the exercise of their public duties. It should therefore not apply where the processing of the personal data is necessary for compliance with a legal obligation to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of an official authority vested in the controller. The data subject’s right to transmit or receive personal data concerning him or her should not create an obligation for the controllers to adopt or maintain processing systems which are technically compatible. Where, in a certain set of personal data, more than one data subject is concerned, the right to receive the personal data should be without prejudice to the rights and freedoms of other data subjects in accordance with this Regulation. Furthermore, that right should not prejudice the right of the data subject to obtain the erasure of personal data and the limitations of that right as set out in this Regulation and should, in particular, not imply the erasure of personal data concerning the data subject which have been provided by him or her for the performance of a contract to the extent that and for as long as the personal data are necessary for the performance of that contract. Where technically feasible, the data subject should have the right to have the personal data transmitted directly from one controller to another.
(69) Where personal data might lawfully be processed because processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, or on grounds of the legitimate interests of a controller or a third party, a data subject should, nevertheless, be entitled to object to the processing of any personal data relating to his or her particular situation. It should be for the controller to demonstrate that its compelling legitimate interest overrides the interests or the fundamental rights and freedoms of the data subject.
(70) Where personal data are processed for the purposes of direct marketing, the data subject should have the right to object to such processing, including profiling to the extent that it is related to such direct marketing, whether with regard to initial or further processing, at any time and free of charge. That right should be explicitly brought to the attention of the data subject and presented clearly and separately from any other information.
Article 12: Transparent information, communication and modalities for exercising the rights of the data subject
Article 13: Information to be provided where the data are collected from the data subject
Article 14: Information to be provided where the data have not been obtained from the data subject
Article 15: Right of access for the data subject
Article 16: Right to rectification
Article 17: Right to erasure (“right to be forgotten”)
Article 18: Right to restriction of processing
Article 19: Notification regarding rectification, erasure or restriction
Article 20: Right to data portability
Article 21: Right to object
If you want to comment on this post, you need to login.