Individual Rights Provided by General Data Protection Regulation (‘GDPR’)
As compliance with GDPR in period ahead of less than 3 months is an absolute must, essentially for those who must deal with data protection both for profit-driven goals and for reputational stability and security. The following sections will explain only a part of the regulation, namely individual rights provided by GDPR. It is highly important that individuals are aware of their rights in the concerned issue but also that data processors as legal persons acknowledge their responsibilities and potential duties to avoid any problems and breaches that may arise.
Right to be informed
The right to be informed is exercised under a private notice and request. It refers to the expectation of transparency of an enterprise. The scope of this particular right can be divided into two conditions: Whether the data was obtained directly from the data subject or not. The working party who is the data processor or holder, should anyways supply the data at any situation in case of such request except in some conditions. For instance, if data is not obtained directly from the data subject, the working party is under the obligation of supply in the details of the source the personal data originates from. If otherwise, it should not supply the source. Still in both cases whether the data is obtained directly or not, the working party must supply identity and contact details of the processor, purpose of the processing, legitimate interests of the controller, and details of data transfers to third countries.
Right to access
Another right to be acknowledged thereunder is the right to access which is also an implication of the requirement of transparency of the proceedings and operations by working parties. The purpose is to authorize individuals to access their personal data which is under process constantly and make sure the processing of the data is lawful, establishing trust by transparency between parties. The request is to be responded free of charge and immediately without delay.
Right to rectification
Individuals have the right to rectify their data, if the data residing in the target base is inaccurate or incomplete. If the data in question has the function of in some way referring third party recipients, working party has the responsibility to communicate each recipient and let them know about the changes. Rectification process may be responded within a month, if the request is subjectively complex, it may have a duration of 2 months without further delay.
Right to erasure
It is also called ‘right to be forgotten’. Individuals have the right to request the deletion of their personal data. The data can be erased if it is irrelevant, unlawfully processed. Individual can also simply withdraw his or her consent which he or she agreed upon in the initial offer for the personal data to be processed and held.
The specific cases according to which this right can be refused and not applied, for the most part refers to the public interest. Personal data may be relevant to some conditions where the erasure of the data could be to the detriment of the public interest. It may also be against the right to freedom of expression and information.
Right to restrict processing
Right to restrict processing is contextually regarding the right to rectification. If the concerned personal data is inaccurate and awaits correction or completion, individual can request to have the data restricted to be processed. Working party, then can maintain the storage and holding of the data but cannot go on to process it.
Right to data portability
The right to data portability applies only to data individuals has provided to a data processor. Individuals may wish to have their data in the concerned platform and reuse the data for purposes like comparing to find better deals and services. Data processors must provide the data in comprehensible and easy-to-understand format, free of charge and within one month without undue delay.
Right to object
This right is applicable under particular conditions which the individual has responsibility to object under. For instance, the data processor who is using the data for direct marketing purposes, must stop the process immediately as it receives an objection, without any exemption. Still, if the working party is in the position of using the personal data for the establishment or defence of legal claims, it can override an objection.
Rights related to automated decision making including profiling
Many data processors use automated-decision making mechanisms which enable the processing of the data to be faster and easier. This is usually called ‘profiling’. Automated decision making can be applied only where the member state of the union’s law authorizes the data controller to apply, the individual explicitly approves consent or it is necessary for the performance of a contract.