GDPR Data Subject Rights in a nutshell
The exponential growth and popularity of the digital world has led to a vast shift in lifestyles during the 21st century, with an overwhelming majority of people globally becoming more socially active, routinely sharing their personal information freely on various online social media platforms. This cultural change quickly led to the decades-old data protection directives becoming too archaic to cope with the new world, and after years of scrupulous drafting, the General Data Protection Regulation (GDPR) was promulgated, creating a strong framework of data protection rules enforceable throughout the EU.
Data Subject rights historical context
The GDPR, coming into force on the 25th of May 2018, enhanced and evolved upon its predecessor; the 1995 Data Protection Directive, to establish a strong set of data protection rules which augment how people can access information about them along with placing limits on what organisations can or cannot do with personal data. EU member states were empowered to adapt the provisions of the regulation to suit their needs; given that the GDPR is a Regulation, it would necessarily be applicable in terms of law in Malta and would supersede any Maltese law thereby incompatible with its substantive provisions. However, given the scope of certain provisions in the GDPR, these permit Member States to implement specifications or restrictions on certain provisions set out in such GDPR. The main objective of the legislation is to safeguard the data subject through a harmonious set of data subject rights, with parallel controller and processor obligations, which ensure that the data subject does not suffer abuse through data transfers.
Data Subject Rights
The rights conferred upon data subjects concern primarily the collection and processing of personal data.
Right to Information on processing
Controllers are primarily obligated to ensure that such collection and processing is conducted in a fair and transparent form, and that data subjects have the right to be informed about the controller’s identity, contact details, and the purposes and legal basis on which the data is being gathered, amongst other things. Should the data collection be obtained from a third party, and not directly from the data subject, the controller must still provide such details, and is not exonerated from its obligation to duly inform. The right to information also extends to potential data breaches, whereby the controller is obligated to notify without undue delay whenever the data subject’s personal data has been breached due to potentially resulting in a high risk to his/her rights.
Right of Access to personal data
Data subjects are furthermore also entitled to access any and all data which relates to them, i.e. “personal data”, which is in the controller’s possession. By virtue of a Subject Access Requests, or ‘SAR’, data subjects are legally entitled to a confirmation that the controller is indeed processing their personal data, and to a copy of such data and any other supplementary information that is relevant upon request. A SAR may be submitted free of charge through any communicative media chosen, be it written, verbal, or digital, and must be answered to within a month, unless a time extension for such is provided. Should the data request be deemed to be unfounded or excessive, the controller may choose to grant the request against a reasonable charge, or in extreme scenarios, even opt to refuse to act on the request.
Right to Rectification of personal data
In an effort to ensure that controllers only possess and process accurate data, the GDPR places on them the obligation to ascertain the validity of such data; to keep it up to date; and to correct it when it proves to be inaccurate. Data subjects are granted with a complementary right entitling them to the correction of any such inaccuracies, if present, and also to have any incomplete personal data held by the controller, duly completed.
Right to Erasure of personal data
Data subjects also have the right to request the erasure of their personal data - whereby they may compel the controller to erase the data they have collected on them as data subjects. This right which is also referred to as the ‘right to be forgotten’, is limited to certain scenarios, such as when the data is no longer necessary, where consent is withdrawn, where objections regarding the processing methods employed by the controller are made, or for other pertinent legal reasons.
Right to Restriction and Objection of processing
The GDPR does not limit itself to the collection of personal data, but empowers the data subject with rights which relate to the controller’s processing of the data collected; data subjects are entitled to restrict or object to the processing of their personal data - depending on the circumstances surrounding such situation. Restriction of data processing may be applied when there are contestations on accuracy, when the processing violates the law, or when the personal data is needed by the data subject for purposes relating to law proceedings while no longer necessarily being needed by the controller. Objection rights are limited in relation to marketing, scientific, historical research, or statistical purposes - however this is not an absolute right; should processing of personal data be required for a public interest, this exception would prevail even if it overlaps with one of the fields referred to above.
Right to Data Portability
In an effort to facilitate easy, yet safe and secure transfer of personal data across different controller services, the GDPR introduced the right of data portability, which allows data subjects to freely and directly transmit the personal data given to a controller, to another controller.
What this means for you
Whenever a (data subject) client or customer’s personal data are retained to be stored and/or processed by a business acting as a data controller, it must be equipped to be able to honour and accede to its client’s/customer’s requests in terms of data subject rights as mentioned above.
This applies irrespective of whether the company is an SME, such as a small family run business. Having an able and qualified Data Protection Officer ('DPO') is highly advisable, even when having a DPO appointed is not strictly required under the GDPR.
How we can help
Chetcuti Cauchi’s data protection lawyers not only embrace technology and privacy in continuous development, but are also able to examine the business’s processes and systems to give advice on suitable Data Protection policies and measures tailored to their particular circumstances, in addition to standard data protection contractual approaches. Given our data protection legal expertise, we are also suitably qualified to provide Data Protection Officer (DPO) assistance.
Data Protection Solutions