Rights of data subjects
We have seen that with processing personal data come great responsibilities and obligations for controllers and processors. This includes making sure that data subjects are able to exercise their rights. Chapter III of the GDPR provides data subjects with a number of rights.
The idea is that organisations and companies gather a lot of data from people in order to provide services or to sell products. This data can tell these organisations and companies a lot about a person. Persons thus give up some of their privacy in order to receive the services or purchase the goods. This is why processing personal data needs to be lawful and fair and why the GDPR provides persons with rights. In order to exercise these rights persons need to know what data concerning them are collected, used, consulted or otherwise processed. This is referred to as the principle of transparency, which requires that any information and communication relating to the processing of personal data needs to be easily accessible and easy to understand, i.e. in clear and plain language. A person needs to know who processes the data, what the purpose of processing is, what the risks, rules, safeguards and rights are and how to exercise them.
Acces, rectification, erasure, restriction of processing
Data subjects also have the right of access to personal data which have been collected in order to verify the lawfulness of the processing. This includes the right for data subjects to have access to data concerning their health, for example the data in their medical records. If the data is inaccurate, the data subject has the right to rectification thereof and in certain cases the right to erasure of the data (also referred to as the right to be forgotten) or the right to restriction of processing. In case of rectification, erasure or restriction, the controller needs to notify any recipient to whom the personal data have been disclosed. For example, if it turns out that some of Anna’s data in her hospital medical record is inaccurate, the hospital needs to notify the parties this data has been shared with, such as her GP.
If Anna wants to change physicians, she has the right to receive her data from her current one and transmit it to the new one. This is called the right to data portability. If the legal basis for processing personal data is carried out in the public interest, in exercise of official authority, is necessary for a legitimate interest or if personal data are processed for direct marketing purposes, Anna also has the right to object to the processing. A final interesting right for data subjects is the right not to be subject to automated decision-making, including profiling. Automated means, without the interference of a human being. Profiling is the use of personal characteristics or behaviour patterns to make generalisations about a person, for example the targeted advertisments Anna received were due to tracking her online behaviour patterns. When data brokers have enough patterns about a person, a profile can be made which tells a lot about a person.
If these rights of data subjects are infringed, they have the right to lodge a complaint with a supervisory authority (Article 77) or the right to an effective legal remedy against a controller or processor before a national court (Article 79).
In this step you learned more on the rights of data subjects. Which of these rights do you think help protect a data subject, such as Anna or yourself, best? And why? Please discuss this with other learners on the discussion board.
© University of Groningen