The GDPR articles explained: Chapter 3 - Rights of the Data Subject

Chapter 3 of the GDPR aims to strengthen data subjects (individuals) with control over their personal data.This article encompasses 12 articles (Articles 12-23) that outlines the various rights that data subjects can exercise regarding the information organizations hold about them, and establishes the procedures for handling complaints and cooperation between supervisory authorities.

This chapter can logically be categorized into three sections for better understanding:

• Section 1: Transparency and access: Outlines individuals' right to be informed about how their data is being processed and to access a copy of that data.
• Section 2: Rectification and erasure: Includes rights to correct inaccurate data, erasure (right to be forgotten), and restriction of processing.
• Section 3: Objection and automated decision - making: Outlines individuals' right to object to the processing of their personal data for certain purposes, such as direct marketing. It also addresses scenarios where automated decision-making processes are used, ensuring individuals' rights are safeguarded in such scenarios.

Section 1: Transparency and modalities

Article 12: Transparent information, communication, and modalities for the exercise of the rights of the data subject

This article focuses on how the data controllers and processors have to provide transparent information and communication to the data subjects and the different ways for the data subjects to exercise their rights. The key points of this article include:

• Clear communication: The data controller (organization) must provide information about data processing activities to the data subjects in a clear, concise, and easily understandable way. This applies to information provided at the time of data collection and in situations where data is obtained from a source other than the data subject.
• Accessibility: The information should be provided in writing or by other means, including electronic formats when appropriate. Oral explanations can be given upon request, provided the data subject's identity is verified through other means.
• Exercising rights of data subject: Data controllers must take appropriate measures to ensure data subjects can easily exercise their rights under the GDPR. This includes rights such as access, rectification, erasure, and restriction of processing. It should also be noted that the data controllers cannot refuse the data subject's requests unless they truly cannot identify the individual making the request. The data controllers can also ask for additional information to confirm the identity of the data subject, ensuring the privacy of the information provided.
• Response time: Data controllers are obligated to respond to requests from data subjects within one month, with a possibility of extension for complex requests (up to three months) under specific circumstances.

Implications

For data controllers

• Develop clear and concise data privacy notices: Data controllers must create informative documents explaining how they collect, use, and store personal data. This information should be written in plain language and easily accessible to data subjects.
• Multiple methods for providing information: The GDPR doesn't mandate a single format. Data controllers can provide information in writing (printed documents), electronically (website privacy notices), or even orally (upon request with identity verification).
• Implement procedures for handling data subject requests: Data controllers need to establish clear processes for handling requests from individuals regarding their data rights (access, rectification, erasure, etc.). This includes having designated personnel to handle such requests and ensuring timely responses.
• Maintain records of communication: Documenting interactions with data subjects regarding their information is crucial. This might include keeping records of requests, responses, and any justifications provided for data processing activities.

For processors

• Cooperation with data controllers: Processors should cooperate with data controllers to ensure compliance with Article 12. This might involve providing relevant information about data processing activities to assist data controllers in crafting their data privacy notices.
• Following data controller instructions: Processors are obligated to follow the lawful instructions of the data controller regarding data subject requests. This includes facilitating access, rectification, erasure, or other actions as instructed by the data controller.
• Data breach notification: If a processor experiences a data breach that impacts data subject rights, they must notify the data controller promptly to enable them to fulfill their obligations under Article 12.

Article 13: Information to be provided where personal data is collected from the data subject

Article 13 mandates that when personal data is collected directly from data subjects, certain information must be provided to them at the time of collection. This ensures transparency and fairness in the processing of personal data.

This article requires data controllers to provide data subjects with information such as:

• Identity and contact details of the data controller (and representative, if applicable).
• Contact details of the data protection officer (DPO), if one is appointed.
• The purpose(s) for which the personal data is being processed.
• The legal basis, such as consent, contractual necessity, for processing the personal data.
• The legitimate interests pursued by the controller or a third party, if applicable.
• The recipients or categories of recipients of the personal data.
• The retention period for the personal data.
• The existence of automated decision-making, including profiling, and any details about it.
• Information about data transfer to third countries or international organizations, if applicable.
• The data subject's rights under the GDPR.
• Information on the right to withdraw consent at any time.

Additional information that might be necessary for fair and transparent processing:

• The data retention period or criteria used to determine it.
• Rights of the data subject, including access, rectification, erasure, restriction, objection, and data portability.
• The right to withdraw consent at any time (if processing is based on consent).
• The right to lodge a complaint with a supervisory authority.
• Whether providing data is a statutory or contractual requirement, and the consequences of not providing data.
• Information about automated decision-making, including profiling, if used.

Example

A software company develops a mobile app that collects users' geolocation data to provide personalized location-based services.

Application of Article 13

• Upon app installation: When the user installs the app and starts the setup, a privacy notice appears.
• Identity and contact details: The notice includes the software company's name and contact information, and details of their DPO.
• Purposes of data processing: It explains that the geolocation data is used to offer personalized travel advice and advertisements.
• Legal basis: The legal basis for processing this data is user consent, which is explicitly requested during the setup.
• Recipients of data: The notice specifies that the data may be shared with third-party advertising partners.
• Data retention: The period for which geolocation data will be stored is stated, along with how users can request data deletion.
• User rights: Information is provided on users' rights to access, modify, or delete their data, and how to withdraw consent at any time.
• Further processing: It mentions that if the data is to be used for other purposes in the future, users will be informed accordingly.

Implications

Developing a privacy notice

• Comprehensive information: Create a clear and concise privacy notice that outlines all the information required by Article 13. This includes details about the controller, data processing purposes, legal basis, data retention periods, data subject rights, and any automated decision-making practices.
• Accessibility: Make the privacy notice readily available to data subjects at the point of data collection. This could be on your website during online forms, printed versions alongside paper forms, or displayed clearly during in-person data collection.
• Layered approach: Consider a layered approach for your privacy notice. You can have a concise summary upfront with a link to a more detailed document for individuals seeking in-depth information.

Data collection processes

• Integration with forms and procedures: Integrate the requirement to provide Article 13 information into your data collection processes. This could involve adding a checkbox acknowledging receipt of the privacy notice during online forms or verbally informing individuals during in-person collection.
• Training for staff: Train staff involved in data collection activities about the requirements of Article 13. This ensures they can accurately explain data processing practices to individuals and address any questions they might have.

Addressing preexisting data

• Identifying existing data: Identify situations where you might already hold some personal data about an individual before directly collecting additional information.
• Providing supplemental information: When collecting additional data from such individuals, only provide the information required by Article 13 that they wouldn't already know based on your existing data.

Continuous compliance

• Review and updates: Regularly review and update your privacy notice to ensure it remains accurate and reflects any changes in your data processing practices.
• Record keeping: Maintain records of your privacy notice and its versions for audit purposes, demonstrating your commitment to GDPR compliance.

Article 14: Information to be provided where personal data has not been collected from the data subject

Article 14 of the GDPR outlines the information that must be provided to individuals, when their personal data has not been obtained directly from them, but from other sources. Article 14 and 13 of the GDPR both address the rights of individuals regarding the processing of their personal data, but they focus on different aspects and apply in different situations.

Example

Imagine a data subject signed up for a newsletter from a bookstore and they decide to use a third-party marketing company to manage their email campaigns. The marketing company receives the data subject's email address and purchasing history from the bookstore, but they have never directly interacted with the marketing company.

According to GDPR Article 14, the marketing company needs to inform the data subject that they have their data, explain who they are, why they have the data (to send marketing emails on behalf of the bookstore), and outline data subject's rights regarding this. They need to do this within a month of receiving the details or by the time they first send an email, whichever comes first.

Article 15: Right of access by the data subject

GDPR Article 15 specifically pertains to the right of access by the data subject. It gives individuals the right to access their personal data that is being processed by an organization. It requires that data controllers provide a copy of the personal data, free of charge in most cases, as well as other supplementary information, including:

• The purposes of processing.
• The categories of personal data concerned.
• The recipients, or categories of recipients, to whom the personal data have been or will be disclosed.
• The estimated period for which the personal data will be stored, or the criteria used to determine that period.
• The existence of the right to request rectification, erasure, or restriction of processing of personal data.
• The right to lodge a complaint with a supervisory authority.
• Information about the source of the data if it wasn't collected directly from the individual.
• If personal data is transferred to a third country or international organization, the individual has the right to know what safeguards are in place to protect their data during the transfer.
• The existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and the foreseen consequences of such processing for the individual.
• The organization or data controller must provide a copy of your personal data free of charge, at least for the first request. For example, you can request a copy of your personal data held by an online retailer to understand what information they have about you.

Implications for a data subject:

Increased control and awareness

• Confirmation and access: Data subjects have the right to know if an organization is processing their personal data and get a copy of that data. This empowers them to understand how their information is being used.
• Transparency: Data subjects can learn about the purposes for which their data is processed, the categories of data involved, and who it might be shared with. This transparency enables them to make informed decisions about their data privacy.
• Exercising other rights: Knowing the data is processed allows data subjects to utilize other GDPR rights. This could include requesting corrections (Article 16), deletion (Article 17), or restrictions on processing (Article 18).
• Understanding automated decisions: If an organization uses the data for automated decision-making (like profiling), data subjects can learn about the logic behind it and potential consequences. This allows data subjects to challenge biased or unfair automated decisions.

Section 2: Rectification and erasure

Article 16: Right to rectification

This article provides data subjects with the right to ask the data controller to correct any wrong or incomplete personal data. Here’s a breakdown of what this means:

Correction of inaccurate data: If data subjects find that an organization has incorrect information about them, like a wrong address or misspelled name, they can ask it to correct the details.

Completion of incomplete data: If the information about data subjects is incomplete, let's say the profile is missing some details that are relevant and necessary for the purposes the organization is using it for, data subjects can provide the missing information to have the records updated.

This article is intended to ensure that the information is accurate, complete, and relevant to its intended use, while also empowering individuals with more control over their personal details.

Article 17: Right to erasure or the "right to be forgotten"

This article allows individuals to have their personal data erased under certain circumstances.

When can data subjects ask for their data to be deleted?

• If the data isn't needed anymore for the reason it was collected.
• If they take back their permission for the company to use their data, and the company doesn't have another legal reason to keep it.
• If the data was used unlawfully.
• If there's a legal rule that requires the data to be erased.
• If they were a child when they agreed to use an online service (like signing up for a game or social media), and now they want that information deleted.

When can data controllers say no to deleting a data subject's data?

• If the data is necessary for exercising the right to freedom of expression and information (for example, journalistic content or public interest reporting).
• If they're required by law to keep the data (e.g., financial records for tax purposes).
• If the data is important for the public interest, such as for health reasons, or for research and documenting history (e.g., disease control or monitoring outbreaks).
• If they need the data to defend themselves in court.

Article 18: Right to restriction of processing

Under certain conditions, individuals can request that the processing of their personal data be restricted. In short, this rule lets you hit "pause" on companies using your data under specific conditions. This might apply if you contest the accuracy of your personal data held by an organization and want processing to be paused while it is verified.

GDPR Article 18 lets data subjects ask companies to pause processing your personal data if:

• They are checking if the data they have is correct.
• The data was used incorrectly, but the data subject doesn't want it deleted.
• Data controllers don't need the data for original processing purposes, but data subjects do for a legal reason.As an example, assume a company no longer needs an employee's personal data after they leave the job. However, the former employee needs the data to prove a wrongful termination case. In this situation, the employee can ask the company to restrict the processing of their data, so it is preserved for their legal case.
• Data subjects objected to their data being processed under Article 21(1), they can ask for the processing to be restricted until it is determined whether the data controller's legitimate reasons outweigh the data subject's reasons for objecting.

Article 19: Notification obligation regarding the rectification or erasure of personal data or restriction of processing

If an organization rectifies or deletes a data subject's personal information or plans to limit how it is used, then data controllers (organizations) need to communicate it to everyone they shared that data with. This is, unless it's too hard or would take too much effort to do so. If data subjects inquire, the data controller should tell them to whom they shared the data with.

Example: Let's say a data subject signs up for a newsletter from an online retailer (data controller), and they accidentally misspell their email address. The data subject can contact them to correct it. According to Article 19, the data controller must not only correct the email address but also inform any other parties they shared the incorrect email with, like their marketing partners.

Article 20: Right to data portability

This article outlines that data subjects have the right to receive the personal data that they have provided to a data controller. They can request this data in a structured, commonly used, and machine-readable format. Furthermore, they have the right to transmit this data to another data controller without any obstacles from the original data controller. Here's a simplified explanation and example:

Imagine you signed up for a social media platform and uploaded photos, posts, and personal information. Under Article 20, you have the right to ask the social media platform for a copy of all the data they have about you. They must provide this data in a format that you can easily transfer to another social media platform if you choose to switch.

For this article to be applicable, two conditions must be met:

• The processing of your data must be based on your consent or a contract, and it must be done using automated means (like computers).
• You have the right to ask for the data to be transferred directly from one data controller to another, if it's technically possible.

However, there are a couple of exceptions:

• This right doesn't apply if the processing of your data is necessary for tasks done in the public interest or in the exercise of official authority vested in the data controller.
• It's important that exercising this right doesn't negatively impact the rights and freedoms of others.

Section 3: Objection and automated decision-making

Article 21: Right to object

Data subjects have the right to object to the processing of their personal data in certain cases, including direct marketing. For instance, if you receive targeted advertisements based on your online behavior, you can object to this form of data processing. Here's a simplified explanation below:

• Right to object in general : Data subjects can object to the processing of their personal data if it's based on certain legal grounds (Article 6 (1) of the GDPR), including profiling based on these grounds. For instance, if a company is using automated decision-making processes that significantly affect an individual's life, such as determining eligibility for a loan based on algorithms, the individual can object to such processing.
• Right to object to direct marketing: Data subjects have an absolute right to object to the processing of their personal data for direct marketing purposes. For example, if a customer receives unwanted promotional emails from a company, they can object to this processing, and the company must stop sending marketing materials to that individual.
• Notification requirement : Data controllers must inform individuals about their right to object, clearly, and separately from other information, at the latest when they first communicate with the individual.
• Automated means for exercising the right: When personal data processing occurs in the context of online services, data subjects can use automated means to exercise their right to object.
• Exception for public interest: There's an exception for cases where personal data processing is done for scientific, historical, or statistical research purposes. In such cases, individuals can still object, but processing may continue if it's necessary for reasons of public interest.

Implications for data subjects

• Empowerment : Article 21 allows data subjects to object to the processing of their personal data if they believe it impacts their fundamental rights and freedoms.
• Control : Data subjects gain greater control over how their personal data is used, especially in situations where the processing may have adverse effects on them.
• Protection of privacy: This article enhances the protection of data subjects' privacy rights by enabling them to prevent unwanted or potentially harmful processing activities.
• Awareness : Data controllers are required to explicitly inform data subjects about their right to object at the time of the first communication, ensuring that individuals are aware of this important right.

Article 22: Automated individual decision-making, including profiling

Article 22 of the GDPR gives data subjects the right to avoid being subjected to decisions that have legal or similarly significant effects on them if those decisions are based solely on automated processing. This means that if a company uses automated systems to make decisions about users (like granting a loan or offering a job), data subjects have the right to object to this.

Conditions when data controllers can object

There are exceptions where automated decision-making is allowed, such as when it's necessary to fulfill a contract, authorized by law, or based on explicit consent from the individual.

In cases where automated decision-making is allowed (such as with consent or contractual necessity), the data controller must ensure safeguards. These include measures to protect the rights and freedoms of individuals, such as allowing them to intervene, express their views, and contest the decision.

Special protections for sensitive data

Article 22 provides additional protection for decisions based on "special categories" of personal data, such as race, religion, or health information. Automated decisions using this data are generally prohibited unless specific exceptions apply and strong safeguards are in place.

Article 23: Restrictions

Article 23 allows European Union countries to pass laws that limit the rights and obligations described in Articles 12 to 22 and Article 34 of the GDPR. Let's say a country passes a law that allows authorities to collect personal data without individuals' consent for national security purposes. This law restricts the rights data subjects have under the GDPR, like the right to consent to data processing.

These restrictions are permissible if the data controllers respect fundamental rights and freedoms and are necessary to achieve specific objectives, such as national security, reasons related to criminal justice, protecting freedoms and rights, or public safety.

Any law that restricts the data subject's rights under the GDPR framework must include detailed provisions to them, such as the purpose of data processing, categories of personal data affected, and safeguards against abuse or unlawful access.

Data subjects must be informed about the restrictions on their data rights, unless revealing this information would harm the purpose of the restriction. This ensures transparency and accountability.