What rights?

With the arrival of the General Data Protection Regulation, people whose personal data are being processed, will have more rights. We list the most important rights for the people involved.

Right to transparent information and communication

The controller shall take appropriate measures to ensure that the data subject receives information relating to the processing in a concise, transparent, intelligible and easily accessible form. This is especially the case when the information is specifically intended for a child. The information shall be provided in writing or by other means. Where appropriate, electronic means may be used. If the data subject so requests, the information may be provided orally, provided that the identity of the data subject is proved by other means. The provision of information and any action taken shall be free of charge, unless the requests of a data subject are manifestly unfounded or excessive.

Where personal data relating to a data subject are collected from that person, the controller shall provide the data subject with all the following information at the time of obtaining the personal data:

• the identity and contact details of the controller and, if any, the controller’s representative;
• the contact details of the data protection officer, if any;
• the processing purposes for which the personal data are intended, as well as the legal basis for the processing;

•  the legitimate interests pursued by the controller or, where applicable, by a third party;
• the recipients or categories of recipients of the personal data, if any;
• if appropriate, that the controller intends to transfer the personal data to a third country or an international organisation.

To ensure the proper and transparent processing of personal data, the controller shall provide additional information to the data subject in addition to the above. Essentially, the controller will communicate additional information to the data subject regarding their rights, such as:

• the period for which the personal data will be stored or, if this is not possible, the criteria for determining that period;
• that the data subject shall have the right to obtain from the controller access to, and the right to rectify or erase, the personal data relating to him or her or to restrict the processing, as well as the right to object to the processing and the right to data portability;

• that the data subject has the right to withdraw the consent at any time, without prejudice to the lawfulness of the processing based on consent before the withdrawal;
• that the data subject has the right to lodge a complaint with a supervisory authority; 
• whether the provision of personal data is a legal or contractual obligation or a necessary condition for the conclusion of a contract and whether the data subject is obliged to provide the personal data and what the consequences might be if the data are not provided; 
• the existence of automated decision making, including profiling, and, where applicable, useful information on the logic involved as well as the importance and likely consequences of such processing for the data subject.

If the controller intends to further process the personal data for a purpose other than that for which the personal data was collected, the controller shall provide the data subject with information on that other purpose prior to such further

processing.

Right of access

Citizens whose personal data are processed have the right to access that data. They have the right to obtain a decision from the controller as to whether or not the personal data is being processed. Your organisation must make clear why data are processed, what types of personal data are involved and to what organisations personal data may be passed on. It must also be clear how long the personal details will be kept. For this reason, the party responsible for processing will provide the person concerned with a copy of the personal details that are being processed.

Right to rectification and supplementation

Data subjects have the right to amend incorrect personal data processed by the organisation. Subject to the purposes of the processing, the data subject shall have the right to obtain at any time the completion of incomplete personal data, including by providing a supplementary statement.

The right to restrict processing

This is the right to have less data processed. In case incorrect

data is processed, then the data should not be used as long as it is incorrect. Another case that can justify the right to restrict processing is when people object to their personal data being processed. In that case, the organisation will have to stop the processing, unless the organisation can provide compelling legitimate grounds that outweigh the interests and rights of the data subjects. Finally, if the data controller no longer needs the personal data for the processing purposes, but the data subject does need it for the establishment, exercise or substantiation of a legal claim, the data subject may invoke this legal ground. Organisations should inform data subjects about the right to object.

The right to data portability

This is the right to transfer digital personal data. People should be able to receive the personal data that an organisation holds about them. Organisations must make all personal data available that involved people have given. They can transfer that data to other organisations that provides the same kind of service. They can also ask an organisation to transfer the data directly to another organisation. So-called derived data, such as data generated by the organisation itself through, for example, data analysis, does not need to be provided.

The right to be forgotten

The right of data subjects to be forgotten. Organisations must erase personal data in a number of cases if a data subject requests it. This erasure must take place without unreasonable delay. For example, data must be erased:

• if the organisation no longer needs the personal data;
• if the person concerned withdraws his/her consent for processing or objects;
• if an organisation processes the data unlawfully; 
• the personal data must be erased to comply with a legal provision.

The right to oblivion also applies to backup files.

Right of objection

The data subject has the right to object at any time to the processing of his personal data. The reasons invoked by the data subject are irrelevant. The controller will cease processing the personal data unless it demonstrates compelling legitimate grounds for processing that outweigh the interests, rights and

freedoms of the data subject.

When personal data is processed for the purposes of direct marketing, then the data subject shall have the right to object at any time to processing of personal data concerning them for such marketing, including profiling in relation to direct marketing. The personal data may then no longer be processed for those purposes.

The right to human intervention with regard to automated decision making and profiling

Data subjects have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or significantly affects them in any other way. In other words, they have the right to a human perspective on decisions that affect them. For example, in the case of an automated decision in online applications or in the handling of a file. The right not to be subjected to exclusively automated decision-making does not apply to decisions that:

• are necessary for the establishment or implementation of a contract between the data subject and a controller;

•  are authorised by a provision of Union or Member State law applicable to the controller, which also lays down appropriate measures to protect the rights and freedoms and legitimate interests of the data subject; or 
• is based on the explicit consent of the data subject.

In cases (a) and (c), the controller shall provide at least the right to obtain human intervention, the right to present its point of view and the right to challenge the decision.