05.07.2018

Rights of the data subject

Rights of the data subject

How to make an Information Rights Request

Requests for right of access can be made by submitting a signed form to the University of Jyvaskyla’s Registry. For more information:

Rights of the data subject

The right to be informed

The data subjects have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR.

The following table summarizes the information that should be provided to the data subject and at what stage.

 

What information do we need to provide?

Personal data collected from individuals

Personal data obtained from other sources

The identity and the contact details of the controller/joint controller and, where applicable, of the data protection officer

The purposes of the processing for which the personal data are intended as well as the legal basis for the processing

The legitimate interests pursued by the controller or by a third party;

The categories of personal data concerned;

 

The recipients or categories of recipients of the personal data, if any

The details of transfers of the personal data to any third countries and appropriate safeguards

The period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period

The rights available to individuals in respect of the processing

Where processing is based on a consent, the existence of the right o withdraw consent at any time

the right to lodge a complaint with a supervisory authority (25 May 2018) 

From which source the personal data originate, and if applicable, whether it came from publicly accessible sources

 

Whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data.

 

The details of the existence of automated decision-making, including profiling, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

When should information be provided?

At the time the data are obtained.

Within a reasonable period after obtaining the personal data, but at the latest within one month. 

 

 The right of Access

The data subjects have the right to obtain the following:

  • confirmation that their personal data is processed;
  • a copy of their personal data; and
  • other supplementary information – this largely corresponds to the information that should be provided in a privacy notice (see 15 article.)

The GDPR clarifies that the reason for allowing the data subjects to access their personal data is so that they are aware of and can verify the lawfulness of the processing

Information must be provided without delay and at the latest within one month of receipt. The controller will be able to extend the period of compliance by a further two months where requests are complex or numerous. If this is the case, the controller must inform the data subject within one month of the receipt of the request and explain why the extension is necessary.

Where requests are manifestly unfounded or excessive, in particular because they are repetitive, the controller can:

  • refuse to respond.

Where the controller refuses to respond to a request, the controller must explain why to the data subject, informing them of their right to complain to the supervisory authority and to a judicial remedy without undue delay and at the latest within one month.

The controller must verify the identity of the person making the request, using “reasonable means”. If the request is made electronically, the controller should provide the information in a commonly used electronic format.

The right to rectification

The data subjects are entitled to have personal data rectified if it is inaccurate or incomplete.

If the controller have disclosed the personal data in question to third parties, it must inform them of the rectification where possible. The controller must also inform the data subjects about the third parties to whom the data has been disclosed where appropriate.

The right to erasure

The right to erasure is also known as ‘the right to be forgotten’. The broad principle underpinning this right is to enable the data subject to request the deletion or removal of personal data where there is no compelling reason for its continued processing.

The right to erasure does not provide an absolute ‘right to be forgotten’. The data subjects have a right to have personal data erased and to prevent processing in specific circumstances:

  • Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed.
  • When the data subject withdraws consent.
  • When the data subject objects to the processing and there is no overriding legitimate interest for continuing the processing.
  • The personal data was unlawfully processed (ie otherwise in breach of the GDPR).
  • The personal data has to be erased in order to comply with a legal obligation.
  • The personal data is processed in relation to the offer of information society services to a child

The controller can refuse to comply with a request for erasure where the personal data is processed for the following reasons:

  • to exercise the right of freedom of expression and information;
  • to comply with a legal obligation or for the performance of a public interest task or exercise of official authority;
  • for public health purposes in the public interest; archiving purposes in the public interest, scientific research historical research or statistical purposes;
  • or the exercise or defence of legal claims

The right to restrict processing

The data subjects have a right to ‘block’ or suppress processing of personal data. When processing is restricted, the controllers are permitted to store the personal data, but not further process it. The controller can retain just enough information about the data subject to ensure that the restriction is respected in future.

The controller will be required to restrict the processing of personal data in the following circumstances:

  • Where the data subject contests the accuracy of the personal data, the controller should restrict the processing until the controller has verified the accuracy of the personal data.
  • Where the data subject has objected to the processing (where it was necessary for the performance of a public interest task or purpose of legitimate interests), and the controller is considering whether the controllers organisation’s legitimate grounds override those of the data subject.
  • When processing is unlawful and the data subject opposes erasure and requests restriction instead.
  • If the controller no longer need the personal data but the data subject requires the data to establish, exercise or defend a legal claim.

If the controller has disclosed the personal data in question to third parties, the controller must inform them about the restriction on the processing of the personal data, unless it is impossible or involves disproportionate effort to do so.

The controller must inform the data subjects when it decides to lift a restriction on processing.

The right to data portability

The right to data portability allows the data subjects to obtain and reuse their personal data for their own purposes across different services.

The right to data portability only applies:

  • to personal data the data subject has provided to a controller;
  • where the processing is based on the data subject’s consent or for the performance of a contract; and
  • when processing is carried out by automated means.

The controller must provide the personal data in a structured, commonly used and machine readable form

 

The right to object

The data subjects have the right to object to:

  • processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);
  • direct marketing (including profiling);
  • and processing for purposes of scientific/historical research and statistics

Processing personal data for the performance of a legal task or the controllers organisation’s legitimate interests

The data subjects must have an objection on “grounds relating to his or her particular situation”. (article 21).

The controller must stop processing the personal data unless:

  • it can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the data subject;
  • or the processing is for the establishment, exercise or defence of legal claims.

The controller must inform the data subjects of their right to object “at the point of first communication” and in the controller’s privacy notice.

This must be “explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information”.

Processing personal data for direct marketing purposes

The controller must stop processing personal data for direct marketing purposes as soon as it receives an objection. There are no exemptions or grounds to refuse.

The controller must deal with an objection to processing for direct marketing at any time and free of charge.

The controller must inform the data subjects of their right to object “at the point of first communication” and in the controller’s privacy notice.

This must be “explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information”.

Rights related to automated decision making including profiling

The GDPR provides safeguards for the data subjects against the risk that a potentially damaging decision is taken without human intervention.

The controller has to identify whether any of its processing operations constitute automated decision making and consider whether it need to update it procedures to deal with the requirements of the GDPR.

When does the right apply?

The data subjects have the right not to be subject to a decision when:

    • it is based on automated processing;
    • and it produces a legal effect or a similarly significant effect on the data subject.

The controller must ensure that the data subjects are able to:

  • obtain human intervention;
  • express their point of view; and obtain an explanation of the decision and challenge it.

Does the right apply to all automated decisions?

No. The right does not apply if the decision:

  • is necessary for entering into or performance of a contract between the controller and the data subject;
  • is authorised by law (eg for the purposes of fraud or tax evasion prevention);
  • or based on explicit consent. (Article 9(2)).

Furthermore, the right does not apply when a decision does not have a legal or similarly significant effect on someone.

What else does the GDPR say about profiling?

The GDPR defines profiling as any form of automated processing intended to evaluate certain personal aspects of the data subject, in particular to analyse or predict their:

  • performance at work;
  • economic situation;
  • health;
  • personal preferences;
  • reliability;
  • behaviour;
  • location;
  • or movements.

When processing personal data for profiling purposes, the controller must ensure that appropriate safeguards are in place.

The controller must:

  • Ensure processing is fair and transparent by providing meaningful information about the logic involved, as well as the significance and the envisaged consequences.
  • Use appropriate mathematical or statistical procedures for the profiling.
  • Implement appropriate technical and organisational measures to enable inaccuracies to be corrected and minimise the risk of errors.
  • Secure personal data in a way that is proportionate to the risk to the interests and rights of the data subject and prevents discriminatory effects

Automated decisions taken for the purposes listed in Article 9(2) must not:

  • concern a child;
  • or be based on the processing of special categories of data unless:
  • o the controller has the explicit consent of the data subject;
  • o or the processing is necessary for reasons of substantial public interest on the basis of EU / Member State law. This must be proportionate to the aim pursued, respect the essence of the right to data protection and provide suitable and specific measures to safeguard fundamental rights and the interests of the data subject.