Skip to 0 minutes and 7 seconds There are three additional rights of data subjects laid down in the General Data Protection Regulation, and we will cover them here. These rights are - the right not to be subjected to automated individual decision-making, the right to be represented by organisations and others, and the right to compensation. Given that we live in a technologically advanced society, many decisions can be taken by the systems in an automatic manner. The GDPR grants to all of us a right not to be subjected to a decision that is based only on an automated processing, which includes profiling. This decision must significantly affect an individual, for example, by creating certain legal effects.
Skip to 0 minutes and 52 seconds If Google decided to automatically collect and process data on the Internet users, make profiles about them based on their searches, and take certain decisions with regard to them as part of automated processing that create legal effects in relation to them, data subjects in question would be allowed to exercise their right not to be subjected to such decisions. In three situations, however, this right does not apply. This is the case when such an automated individual decision is needed for entering into a contract or performing a contract between the data subject and the data controller.
Skip to 1 minute and 28 seconds Also, the law of the European Union or its Member States providing appropriate safeguards for the protection of rights, freedoms, and legitimate interests of data subjects can authorise taking such a decision. Finally, a decision can be based on the explicit consent of data subjects. In the first and second types of situation, data controllers play an important role in safeguarding the rights, freedoms, and legitimate interests of data subjects. They need to ensure the right to implement human intervention on the part of the controllers, to express points of view, or to contest the decision.
Skip to 2 minutes and 7 seconds The three types of decision, to which the right not to be subjected to automated individual decision- making does not apply, may not be based on the special categories of personal data, as discussed before, unless persons’ consent has been obtained or the processing is required for reasons of substantial public interest. There should also be measures that aim at safeguarding data subjects’ rights, freedoms, and legitimate interests. Additionally, it is possible for data subjects to allow not-for-profit bodies, organisations, or associations to act on their behalf– more specifically, to lodge complaints, to receive compensation, and to exercise rights discussed earlier and addressed in articles 77, 78, and 79 of the General Data Protection Regulation.
Skip to 2 minutes and 57 seconds These provisions concern, as we have already discovered, the right to lodge a complaint with a supervisory authority and the right to an effective judicial remedy against decisions of supervisory authorities and controllers or processors. Depending on the legislation of EU Member States, such bodies, organisations, and associations may also have the right to lodge complaints with the supervisory authority independently of a data subjects’ mandate and to exercise rights as Articles 78 and 79 of the Regulation, concerning the rights to an effective judicial remedy, if they think that the rights of a data subject have been violated as a result of the processing of personal data.
Skip to 3 minutes and 40 seconds If an individual feels that he or she can better give away his or her representation to somebody else, this individual has the right to contact a not-for-profit association– such as European Digital Rights - in order to be represented by it in filing complaints, exercising some of his or her rights, and receiving compensation. This might be useful if an action is to be taken against such a tech giant as Google or any other person or entity. Finally, persons who have suffered material or non-material damage as a result of an infringement of the GDPR have the right to receive compensation from the controller or processor in question.
Skip to 4 minutes and 21 seconds In this regard, it is of importance to establish liability of the involved persons and entities. Any controller that is involved in the processing is liable for such damage. A processor is only liable when it has not complied with its obligations under the GDPR, addressed to it, or has acted outside the lawful instructions of a controller or contrary to them. If, however, processors or controllers are not responsible for the events giving rise to the damage, they will not be liable. As provided in Article 80 of the GDPR, this right can also be exercised by bodies, organisations, and associations mentioned earlier on behalf of data subjects.
Skip to 5 minutes and 5 seconds Proceedings for exercising the right to compensation should be brought before the courts that are competent under the law of a Member State of the European Union in question. The last set of data subjects’ rights brought here to your attention includes the right not to be subjected to automated individual decision-making, the right to be represented by organisations and others, and the right to compensation. These are vital safeguards available to individuals such as you and me when our personal data are processed. We should not forget about them and their significance in the modern digital world.
Rights regarding automated decision-making, representation and compensation
In this video, we have discussed three rights in relation to automated decision-making, representation and compensation.
Currently, various decisions are taken by the systems in an automatic manner. Article 22 GDPR establishes the right not to be subjected to a decision that is based only on an automated processing, including profiling. This right is applicable when such a decision has legal consequences for an individual or in a similar manner significantly affects him or her. If a company, such as Google, automatically collects and processes personal data on the Internet users, engages in profiling and some decisions creating legal effects with regard to them are taken, data subjects can exercise their right not to be subjected to such decision-making.
This right is not applicable when an automated individual decision is needed for entering into a contract or performing a contract between the data subject and a data controller, is authorised by the EU or Member State law to which a controller is subjected and which provides certain safeguards or is based on the explicit consent of the data subject. These decisions may not be based on the special categories of personal data unless it is done with the consent of involved individuals or for reasons of substantial public interest. Also, measures must be introduced safeguarding data subjects’ rights, freedoms and legitimate interests.
Using another right found in Article 80 GDPR, data subjects can allow not-for-profit bodies, organisations or associations to act on their behalf by lodging complaints, receiving compensation and exercising some rights with regard to complaints and judicial remedies. These entities can also have the right to act independently of a data subjects’ mandate if the Member States provide for this possibility.
Finally, if individuals have suffered material or non-material damage as a result of an infringement of the GDPR they entitled to the right to receive compensation from the controller or processor, as stressed in Article 82 GDPR. Controllers involved in the processing are liable for this damage; processors are only liable when they have not complied with their GDPR obligations or acted outside lawful instructions of controllers or contrary to them. Bodies, organisations and associations can also invoke this right on behalf of data subjects. The right to compensation can be exercised before competent courts of EU Member States.
© University of Groningen