RIGHTS OF THE DATA SUBJECTS - OBLIGATIONS FOR THE OPERATORS
1. The right to be informed
The right to be informed refers to the obligation of the operator to provide "correct processing information", usually through a notification regarding confidentiality. It highlights the need for transparency in how you use your personal data.
According to the laws, the information the Operators have to provide, when they control personal data from the data subjects, must contain the following:
- the identity and contact details of the operator, or of the representative respectively;
- the contact details of the DPO;
- the purpose of controlling and processing the personal data, as well as the legal basis of the processing;
- the legitimate interests pursued (as an operator or as a party), the legality of processing;
- which the recipients or categories of recipients of the personal data are;
- the intention to transfer personal data to a third country and which are the guarantees offered by the operator that this transfer is perfectly legal and does not harm the interests of the data subject;
In addition, in case the data has had already been obtained, the operator must provide the data subject with a series of additional information necessary to ensure the transparency of the processing:
- the retention period or the criteria used to determine this period;
- the right to rectification, deletion, restriction, objections;
- the right to data portability;
- the right to withdraw consent at any time, if applicable;
- the right to file a complaint with a supervisory authority;
- whether the request is part of a legal or contractual requirement or obligation and the possible consequences of non-supply;
- the existence of an automatic decision-making process (including profiling) and the way decisions are made, their significance and consequences.
GDP Shield provides the operator with an automated system through which all the necessary information is collected from the database and a complete Report is issued, as required by law. No human intervention required.
2. The right of access
What information can a person request, according to the GDPR?
According to the data protection laws, any data subject may request the right of access to personal data, under certain conditions. As a result, the following types of information may be requested:
- what the purpose of processing personal data is;
- what categories of personal data are concerned;
- which are the recipients to whom the personal data was provided;
- what the period for which personal data will be stored is;
- if personal data is not collected from the data subject, any available information as to their origin.
GDP Shield provides the operator with an automated system through which all the necessary information is collected from the database and a complete legal Report is issued. No human intervention required.
3. The right to rectification
What is the right to rectification? The data subject has the right to obtain from the operator, without undue delay, the rectification of inaccurate personal data concerning him. Taking into account the purposes for which the data was processed, the data subject has the right to obtain the completion of personal data that is incomplete, by providing an additional statement.
When can personal data be rectified?
The data subjects have the right to request the rectification of personal data if it is inaccurate or incomplete and especially when the personal data has not been collected directly.
The time period allocated by the regulation for data rectification is of maximum one month, with the possibility of extension to two months, under special conditions. If no action is taken in response to a request for rectification, the data subject must be informed of the existing special causes and if he does not reach an agreement, he must know that he has the right to file a complaint to the supervisory authority and the right to an appeal.
GDP Shield offers the operator the possibility to update the information in the database at any time, including the addition or deletion of data fields, while maintaining a historical log in this regard, containing the modifications or completions.
4. The right to be deleted or “The right to be forgotten”
What is the right to be deleted? The right to delete personal data is part of the new provisions introduced by the new and upcoming data protection laws.
Known in particular as the "right to be forgotten", it is based on the principle of guaranteeing any individual the freedom to do what he/she wants with their personal data, including deleting it, if there is no compelling or special reason to continue processing and storing it.
When can we be asked for the right to be deleted?
Basically, the right to have data deleted ("the right to be forgotten"), means that the data subject has the right to obtain from the operator the deletion of personal data, without undue delay, and the operators have the obligation to delete personal data, in the following situations:
- the data is no longer needed for the purposes for which it was collected or processed;
- the data subject withdraws his consent on the basis of which the processing takes place;
- the data subject exercises the right of opposition:
- there are uncertainties related to the legality of the processing of personal data;
- the data must be deleted in order to comply with a legal obligation of the operator;
- personal data belongs to children under 16 years of age.
When can the operators refuse a data deletion request? Exceptional situations are considered where the processing is necessary for:
- exercising the right to free expression and information;
- compliance with a legal obligation;
- reasons of public interest in the field of public health;
- purposes of archiving in the public interest, scientific or historical research or for statistical purposes;
- finding, exercising or defending a right in court.
GDP Shield offers the operator the possibility of deleting from the database of the personal data of a data subject, following the request and the verification of the fulfillment of the basic conditions, at the same time with the automatic issuing of a Report in this respect, which will contain all the data relevant. This deletion report can be submitted by any means to the applicant. In addition, the GDP Shield solution provides the operator with the possibility of issuing a negative report that can be submitted to the applicant, which practically refuses to delete data in case of non-compliance with the legal conditions.
- The right to restriction
When can the right to restrict processing be claimed? The data subject has the right to obtain from the operator the restriction of processing in one of the following situations:
- the accuracy of the data is contested, for a period that allows the operator to verify the accuracy of the data in question;
- the processing is illegal, and the data subject opposes the deletion of personal data, requesting instead the restriction of their use;
- as operators we no longer need personal data for processing purposes, but the data subject requests it for action in court;
- the data subject objected to the processing (Article 21, paragraph 1) for the period of time in which the fact that our legitimate rights as operators prevail over those of the data subject is verified.
GDP Shield does not have any competence in relation to the right of restriction, which is strictly related to the operator's direct behavior in relation to the personal data used.
6. The right to data portability
The right to data portability allows people to obtain and reuse their personal data for their own purposes within various services.
This right allows the personal data to be moved, copied or transferred easily from one IT environment to another, in a secure way. Many European organizations already offer data portability services, which allow interested parties to view, access and use personal consumption data and transactions in a portable and secure way.
Moreover, there are international operators that allow consumers to take advantage of applications and services that can use this data to find a better deal or to help them understand their spending habits.
According to applicable laws, the data subject has the right to transmit personal data to another data operator. The data operator must provide the data subject with a copy of the personal data in an agreed structured format that can be read automatically. Furthermore, the data operator should not prevent the transmission of personal data to a new data operator.
The right of data portability applies only if:
- the data is processed by automatic means;
- the data subject gave consent for processing;
- processing is necessary to fulfill the conditions stipulated by a contract.
GDP Shield provides operators with high-security technical solutions for data portability.
7. The right to object
One of the main rights of the data subject, stipulated by the GDPR is the right to object or to oppose to certain types of processing.
Which are these types of processing of the data subjects? The data subject has the right to oppose:
- data processing for direct marketing purposes;
- data processing for profiling;
- data processing by automatic means;
- data processing for scientific or historical purposes.
Exceptional situations that annul the right to object of the data subjects appear when the personal data operator can prove that there are compelling legitimate reasons for supporting the processing, which go beyond the interests, rights and freedoms of the data subject.
Other exceptional situations are motivated by the establishment, the exercise or the defense of some legal claims or in the situations in which the processing is necessary to fulfill a task of public interest.
Let's look at a few of these exceptional situations.
If the primary purpose of the processing of personal data is of a legal nature or in the legitimate interest of our organization - when we receive an objection related to the nature of such processing, we must stop processing that data only if we cannot clearly demonstrate that the processing is done for establishing, exercising or defending legal claims.
All this must be explained clearly and concisely to the data subject who raises an objection.
If the processing of personal data is done for the purpose of direct marketing, we must cease any processing as soon as we receive an objection. In these situations, there are no exceptions or reasons for refusal to consider an objection.
We must respond to objections against processing for direct marketing purposes as quickly as possible and free of charge.
Even if in some cases there was an initial consent for data processing, raising an explicit objection to prohibit the processing of personal data for direct marketing purposes should be accepted without delay and communicated to the data subject "clearly and separately from any other information". All these conditions must be stipulated from the beginning, by means of the confidentiality contract.
Obviously, this situation and the clear and precise motivation of the nature of the research must be communicated as soon as possible to the data subject who opposed the processing.
The obligation to resolve the objections regarding the processing of data and to comply with these objections, lies in the competence and the direct activity of the operator.
- Rights related to automatic decision making and profiling
Here is a special category of rights, present in the previous legislation but much better explained by the new data protection laws, which offers the data subjects guarantees against the risk that a potentially harmful decision will be taken without human intervention.
What should processors do to ensure compliance with this right? All they have to do is identify if any of their processing operations include an automatic decision-making process and, of course, they need to update the procedures to meet the new legal requirements.
Does the law apply to all automatic decisions? No. The right does not apply if the decision:
- is necessary for the conclusion or execution of a contract between you and the natural person;
- is authorized by law (for example, for fraud or tax evasion purposes);
- is based on explicit consent;
- has no significant legal or similar effect on a person.
What is profiling?
The new data protection laws define profiling as any form of automatic processing designed to evaluate certain personal aspects of a person, in particular, to analyze or predict them:
- workplace performance;
- economic/financial situation;
- health status;
- personal preferences;