Data subjects’ rights (part 1)



In the first part of our article, we will talk about the following rights of data subjects under the GDPR:

  • Right to access.

  • Right to rectification

  • Right to erasure (‘right to be forgotten’)

  • Right to restriction of processing


Right to access


According to article 15 of the Regulations, the subject must be able to use the right of access to find out what information the company has about him. Up to information about which mechanism of cross-border data transfer is used by the organization.

This means that the company is obliged to provide the subject with a copy of his personal data in human-readable form: electronic or paper.

As a rule, if the subject has applied in electronic form (via e-mail or feedback service), personal data is provided in electronic format. And, conversely, when the subject applies in paper form (for example, through a registered letter), the data is sent in paper form. However, if the data volumes are large or the copy is requested repeatedly, reasonable fees may apply.

An interesting case occurred in the British edition. The newspaper conducted an experiment: a journalist asked the company that owns the dating application Tinder, all of her personal data for the period of using the service in paper form. Bottom line: having received almost half a thousand pages, the girl was very surprised why there were so many.

The fact is that Tinder collects not only personal data from the subject’s account, but also geolocations, texts of correspondence and the history of swipes when interacting with other users.

At the same time, the right to access data should not have a negative impact on the rights and freedoms of others.

What does it mean? For example, you work for a company that has a 360-degree staff assessment system. Each of the employees, including you, is assessed according to the criteria of a colleague. It turns out that the information collected about the employee is his personal data. The report contains identifiers that can be used to draw conclusions about your professional suitability and human qualities. However, if you try to demand access to this data, nothing will work. Information about how your boss or subordinate treats you can negatively affect work relations. In principle, it is possible to take measures to anonymize the data, but this will be very difficult, since there will still be a high risk that certain words or situations will help identify the owner of the review. Moreover, the circle of people is limited by the working team, anonymization of data is practically impossible. And this is the case when the refusal to provide a copy of personal data is reasonable.


Right to rectification


According to article 16 of the Regulations, the subject has the right to demand to clarify or supplement the data available to the company about him. It is important to verify the identity of the person making the request, check the information that is changed, and ask for the purpose and reason.

Thus, if the subject’s name is Vanya Ivanov, he cannot write to the bank where he took out a loan: “Good afternoon! Please change my name and surname to Arnold Schwarzenegger. And by the way, now it is he who will pay you 150,000 euros”.

For example, a subject can clarify the data when he changed his surname, moved, made a new passport (in fact, the information should be verifiable).


Right to erasure (‘right to be forgotten’)


It is called by various names: the right to erasure or the right to be forgotten. According to Article 17 of the GDPR, the subject has the right to demand the immediate deletion of his personal data if they are no longer required for the originally specified purposes.

For example, 22-year-old Ivan recalled that 8 years ago he was an active Internet user. I registered on various gaming sites and left not the most censored comments and reviews there. Currently, Ivan does not use these services, so Ivan may request that all personal data left by him be deleted.

But, if the purposes for which the data were collected have already been fulfilled, then according to the rules of the Regulation, automatic deletion should take place.

In addition, according to Article 17 of the GDPR, the subject can revoke his consent to data processing if his data is not used for other purposes.

At the same time, if the data is processed by several processors in the interests of one controller, the subject can choose to whom to submit the request to be forgotten. He does not need to notify the entire chain of companies that collect and process his data. It is enough to send a request to any of the processors, whose responsibility will be to notify the controller.

Here’s an example when it works. The data subject lives in a Muslim country and the information that he buys pork poses a serious social risk for him. The subject applies to the company with a request to delete personal data relating to him. In this case, the risk of the subject outweighs the legitimate interest of the company that sells pork, therefore, his data is subject to undisputed deletion even though it was collected and processed completely lawfully.

The right to erasure can also be exercised in a situation where the processing is unlawful. For example, data from CCTV cameras should be stored for 6 months, after which it will be automatically erased. If the company, in violation of the law, continues to store recordings from cameras after six months, then the subject has the right to demand that the data be deleted.

Personal data is also subject to deletion if collected for the provision of information society services. Sounds complicated, doesn’t it? This is about children’s rights. In order to create a personal account on social networks, you must reach a certain age. Let’s imagine that a child actively used Facebook before reaching this age: subscribed to groups, left comments, posted personal photos. Parents have the right to request the deletion of all data about the child, and Facebook, in turn, cannot refuse, citing a legitimate interest in processing. A minor does not always give an account of all his actions: what he writes, what photos he uploads, the consequences for adult life. The right to be forgotten for children is realized without exception. Moreover, this is valid even if Vasya is already 25 (only then it is not his parents who apply, but he himself).

There are several restrictions on the right to be forgotten. The first concerns the right to freedom of expression and freedom of information. The right to be forgotten will not work in this case.

For example, a person committed a crime and was sentenced to punishment. The newspaper covered the course of the trial, told about the circumstances of the crime, mentioned the person’s name, date of birth, facts from the biography of the offender. Society has the right to know about a crime and the person who committed it. Nobody will censor the newspaper for the sake of forgetting the name of the criminal and details of the crime. If a person tries to demand the removal of his name, he will be refused.

The second limitation on the right to be forgotten is related to the state interest. For example, for the purpose of epidemiological protection of the population, the state can save medical records of patients with coronavirus. In the event of a repeated epidemic, medical institutions will be able to quickly obtain information on possible blood donors containing antibodies. Accordingly, it is impossible to demand the removal of personal data from medical records, since this is contrary to the interests of the state.


Right to restriction of processing


In this case, “restriction” is interpreted as “freezing”. The bottom line is simple: if the grounds for data processing are temporarily not relevant, the personal data already collected remains with the controller, but the controller is not entitled to take any action other than storing the data.

When might you need it? First, when the data is not accurate. For example, a bank sends its client account statements to its old address. The client asks: “Stop sending me statements until you get my address. I don’t want my former landlord to get my banking information. ”

Secondly, when the processing is illegal. For example, a client wants to take legal action, but does not want the bank to continue processing his data now. The client can say or write: “Stop processing my data, but leave it in your system so that I can use it as evidence in court.”

The controller retains the right to make a decision. In each case, it is necessary to analyze whether the requirement of the subject outweighs the legitimate interest of the company. If the rights of the subject outweigh the legitimate interest, then the processing must be stopped and the data must be temporarily frozen. Otherwise, you can refuse the subject and not freeze the collected personal data.

The course is loading, wait a few seconds