Plain Spoken GDPR – Chapter 3 or People Have Rights Too!

Anonymous Hong Kong Phooey
Anonymous Hong Kong Phooey

Chapter 3 – Rights of the Data Subject

Hey race fans. Chapter 3. We delve into the Rights of the Data Subject (that means people in real people speak). In total we’ve got 12 articles and the introduction of sections.

Section 1 – Transparency and Modalities

Article 12 – Transparent Information, Communications and Modalities for the Exercise of the rights of the Data Subject

8 paragraphs. Now I think the title is attempting to do too much here, but this isn’t an English exam. Everything here in this article is geared towards telling the data controller what their responsibilities are in regard to giving information to a data subject who is pursuing their rights under this legislation.

The controller needs to take care to present information in a clear and legible format. This is not just easy to access through furnishing documentation in electronic form, but also in the language used to describe the contents of the information.

Data controllers cannot refuse to act on requests from data subjects. All information requests will be completed within one month of the request. There is indication that a controller might extend this to a further two months (3 months total) regardless the controller has to let the data subject know what is going on within the month.

There are such cases where a controller does not have to act on the request of a data subjects and if that is a route that is going to take place then that needs to be communicated back to the data subject. Those cases where a data controller can refuse to act is when requests are manifestly unfounded or excessive especially when the request are repetitive then a controller can charge a reasonable administration fee or they could refuse the request entirely (again as mentioned they still have to inform the data subject). The controller takes on the burden of proving that the request is unfounded though. So watch out before calling every request unfounded.

A controller also is required to make sure that the data subject is who they say they are. When there are doubts the controller can request further information about the data subject.

Finally and this seems a bit weird a controller can use icons to communicate information. Why this is specifically mentioned when they’ve already said that the information needs to be communicated is clear seems a bit redundant to me. Perhaps legal people like to hear themselves talk. I’ve heard they get paid more the longer they talk so this seems a reasonable assumption.

Section 2 – Information and Access to Personal Data

Article 13 – Information to be Provided where Personal Data are Collected from the Data Subject

4 paragraphs. This details the necessity of informing data subjects about the reason for the collection and uses the data will be put to at the time the data is collected. It runs as a list of what necessary items need to be told to the data subject at the time of collection.

Another note is made to the effect that if data that is already held is going to be used in a new process then the data subject must be told the purpose.

So the key to the timing is telling the data subject when data is collected or when you intend to use the data for a new purpose.

Article 14 – Information to be Provided where Personal Data have not been obtained from the Data Subject

5 paragraphs. We have a very similar article here to Article 13. But the focus is on what to tell data subjects if the data you want to process has not come from the data subjects. Again set out as a list regarding the information that needs to be shared with the data subject.

There’s a get out of jail free card if the data subject already has the information or if it would prove disproportionately difficult to do.

What is nifty is the legislation doesn’t describe what counts. Do personal engraved telegrams live up to the letter of the law or would a notification on a website of what is taking place? It is a question that I think time will dictate.

Article 15 – Right of Access by the Data Subject

4 paragraphs. Ahh the rights of the individual to get details about the data held and how it is being processed. Any data transferred to a third party or out of country needs defined safeguards that can be requested by the data subject.

The data is specifically mentioned to be able to submitted in common electronic format.

Section 3 – Rectification and Erasure

Article 16 – Right to Rectification

1 paragraph. The individual has the right to request that inaccurate or incomplete information is rectified. Now as someone engaged in the business of data and it’s use to support the public sector this sounds brilliant. Hopefully we can find a streamlined method of keeping our data relevant and accurate.

Article 17 – Right to Erasure

3 paragraphs. This is going to be fun. I’ve already checked, but you don’t get to ask the police to forget your past indiscretions. We have a list of criteria for when you can ask for your information to be forgotten and even if the controller has made the information public they need to attempt anything reasonable towards removing that data.

Although as expected if the data is required for freedom of expression or information (newspapers), compliance with legal obligations (police work among other things), public interest such as public health, archiving, scientific historical or statistical. And finally for defending legal claims.

Article 18 – Right to Restriction of Processing

3 paragraphs. There are a few items that denote when a data subject can restrict the use of data such as when the accuracy of the data is in question (during the time it takes to verify the info), if processing is unlawful, if the data is no longer needed and during disputes of legitimacy of using the data.

If a restriction is in place the only processing that can be carried out is storage and legal claims protecting another natural person. Before any restriction is lifted the data subject shall be informed.

Article 19 – Notification Obligation Regarding Rectification of Erasure of Personal Data or Restriction of Processing

1 paragraph. This succinctly states that all events regarding the rights of the data subject such as erasure or restriction shall be notified to the individual involved individually unless this is impossible to do.

Article 20 – Right to Data Portability

4 paragraphs. This defines the ability for an individual to request that they get a copy of their data in a structured, commonly used and machine readable format, or that a controller passes it across to another controller where that is technically feasible. I’m interested to see what formats win out. I suspect that there will be a XML versus JSON battle, or perhaps a third option will appear.

Section 4 – Right to Object and Automated Individual Decision-Making

Article 21 – Right to Object

6 paragraphs. Speaking to the right to object to processing. The regulation specifically calls out direct marketing. I’m wondering how long it will take to set up an automated system that tells google and all of the big data aggregation services that they cannot use your data to better serve yourself adverts. I hope it’s within the first day.

Article 22 – Automated Individual Decision-Making, Including Profiling

4 paragraphs. Decisions based on automatic processing are bad and they can only be used when you are entering a contract with someone, authorised by the state (I’m guessing this means spying0 or the data subject themselves explicitly allow.

Section 5 – Restrictions

Article 23 – Restrictions

2 paragraphs. Here we have a whole article dedicated to the restrictions of these data subject rights and as expected, national security is at the top. This is what will allow us to process data in the public sector without informing data subjects at every turn for every instance of data processing. These restrictions will be supported with UK legislation, but will ultimately be able to be relied on if the work you are doing is important to the running of the government or body.

I am specifically wondering though, how a company that captures and leverages personal data will manage the constant bombardment of data subjects with information about the processing of their data?

And there you have it, a fairly dry week. Basic rights with a few get out of jail free cards for certain organisations. Till next week.

Previous articlePlain Spoken GDPR – Chapter 2
Next articleDundee Public Data Hack
Born into the wilds of mid-western America, Matthew has lived his life creating. The kind of kid that bought a tarp, some PVC pipe and a skate board; fashioned himself a windsurfing set-up and then saw an opportunity in a local tornado. "Sorry Mom." Undergraduate in Art and Design, Doctorate in Scottish History, Matthew came late to the realisation that if he's going to use his diverse skill set he'd have to employ himself.