The GDPR is intend to better protect privacy. But the right of the data subject are also (greatly) extend. What right exactly are we talking about? We list it for you.
The General Data Protection Regulation (AVG or GDPR) is there to guarantee the protection of personal data and therefore also the rights and freedoms of the data subject. In order to ensure this protection and to give the data subject even more control over his personal data, the GDPR provides for a (significant) extension of the rights of the data subject. This article provides an overview of these different rights with a brief explanation.
Also read: right to be forgotten gdpr
1. Right of access
The data subject has the right to know from the controller whether his personal data is being process. This means that the controller must inform the data subject about the processing of his personal data. For this, reference can be made to Step 3 of the GDPR: the transparency and information obligation of the controller. In addition to receiving information about the processing, the data subject has the right to access his personal data.
In addition, the controller shall provide a copy of the personal data in its possession at the request of the data subject. If the data subject requests additional copies, the controller may request a reasonable fee based on the administrative costs. When the data subject requests his personal data digitally, the controller can also transfer these digitally unless the data subject requests a specific method.
Important point of attention
This will be a first safety net for many question, but will also lead to (greater) confidence of the individual (either as an employee or as a customer, …) in the company, with the result that fewer right (to access) will be give exert. Example: an employee requests access to his personnel file and wants a copy of it.
2. Right to Correction
The data subject has the right to correct or supplement his personal data if he determines that they are incorrect.
Example : Person A asks his employer to make the change of the bank account number as he has changed bank.
Also read: right to be forgotten process
3. Right to be forgot
The data subject has the right to ask the controller to delete his or her personal data if:
- The personal data are no longer necessary for the purpose for which they were collect.
- The data subject withdraws his consent and there is no other legal basis. For more information about the legal bases for the processing of personal data, please refer to Step 4: The Processing Basis.
- The data subject has objected to a specific processing (see also ‘Right to object’ below) and there are no overriding legitimate grounds for the processing.
- The data subject objects to direct marketing processing.
- The personal data unlawfully process (i.e. not in accordance with the principles of the AVG/GDPR).
- The law obliges the controller to delete.
- The personal data are process on the basis of consent in the context of an offer of information society service.
The controller who has share the personal data with other controller will inform them as soon as possible about the request to be forgot. However, this right is not absolute as in some cases the processing is necessary for the exercise of the right to freedom of expression.
For the establishment or defense of legal claims, for the fulfillment of legal obligations or tasks in the public interest, public health, archiving in public interest, scientific, statistical or historical research. Example : the data subject object to receiving direct marketing and specifically request to be remove from the file.
4. Right to restriction of processing
The data subject may request to obtain the restriction of processing where:
- He contest the correctness of the personal data and for the period that the correctness is check;
- The processing is unlawful (i.e. does not comply with the principles of the GDPR) and the data subject opposes the erasure of the personal data;
- The controller would delete the data as it no longer needs it for the specific purpose, but the data subject still needs the personal data to substantiate a legal claim;
- The data subject has objected to the processing (see also ‘Right to object’ below) and there are no overriding legitimate grounds for the processing.
The restriction of processing means that the controller can only store and process the data with the specific consent of the data subject, for the establishment or defense of legal claims, for the protection of another person or for important reasons of public interest. The controller must inform the data subject when the restriction of processing is lift.
Example : person A orders a product from company B but A is not sure. Whether the billing address is still correct and requests a confirmation by e-mail of the data. That company B has to verify whether everything is correct.
Also read: gdpr case studies
5. Right to portability of personal data
The right to portability (better known as ‘ right to data portability’ ). Means that the data subject can ask a controller to transfer the personal data. He or she has provided to another controller. This is possible when the personal data is process on the basis of the data subject’s consent.
Or in the context of an agreement with the data subject. Or when the processing is carry out by automate mean. A specific requirement for this transfer is that the controller must transmit the personal data to the data subject. Or to the other controller in a structured, commonly used and machine-readable format.