Rights of data subjects (part 2)

In the first part of the article, we have already discussed the right to access, right to rectification, right to erasure (‘right to be forgotten’), right to restriction of processing. Now is the time to open the veil of such rights of personal data subjects as:

  1. Right to data portability.
  2. Right to object.
  3. The right not to be subject to automatic decision-making.
  4. Right to lodge a complaint with a supervisory authority and the right to compensation.

Right to data portability

It was introduced relatively recently, so it is not 100% implemented anywhere. The subject can expect to receive their personal data in order to transfer them from one controller to another (if this is technically possible). It seemed that the right to portability is similar to the right to access? We tell you about at least two significant differences.

The right to portability is only used when the data:

processed on the basis of consent or agreement (the right of access applies to all legal reasons);
data processing should be automated.

The mechanism for data portability rights is as follows. At the request of the subject, the company generates all his personal data in a single file. After that, the document is passed either to the subject personally, or to the new controller (if it is specified by the subject). However, the file format must not be human-readable, but machine-readable in order to import personal data into the system of another controller.

In addition, the right to portability may be accompanied by a request to delete data from the first controller, but it doesn’t automatically delete personal data.

It is assumed that companies must agree on a common standard for data transfer, including the mechanism, format, and markup.

For example, the social network Vkontakte is subject to GDPR regulation, since it offers goods and services to individuals located in the European Union and has several language versions (English, French, Polish, etc.).

Therefore, VK users are personal data subjects who can exercise the right to data portability. In this case, the VK must provide the user with machine-readable photos, correspondence, and personal profile data for importing this information to Facebook.

It would be more reasonable for the VC to pass the data directly to Facebook to eliminate the risk of data loss by the subject. But the problem is that the right to portability is currently poorly implemented, because there is no single standard between social networks for what type and what data can be exported. Technical employees are forced to make individual decisions for each of the cases.

You probably remembered that Facebook added the ability for users to download their personal data? Yes, true, but this is about implementing the access right, not the portability right. Why? You can get personal data in a human-readable format, rather than a machine-readable format.

Right to object

The subject has the right to object to the processing of their personal data if they believe that their situation does not fall under the legitimate interest of the controller. In other words, the right to object can only be exercised if the processing is based on the legitimate or public interest of the controller. This right can also be used when the subject decides to withdraw their consent to data processing.

The controller has the right to consider the subject’s objections and make one of two decisions: either reject the objections and continue processing, or accept the objections and stop processing personal data.

Important! The right to object does not imply automatic satisfaction of the data subject’s requirements, and the controller has the final say. On a case-by-case basis, the objection must be considered, the situation analyzed, and a decision made as to whether this processing is necessary for the vital interests of the company or the public.

There is one exception to this rule. The subject’s objection to processing must be satisfied automatically if the personal data was processed for direct marketing purposes.

For example, a company has a pool of customers whose personal data was collected to sell their products. The organization also makes an email newsletter where it tells about the partner’s products. The client has the right to object to the processing of personal data, and the controller, in turn, will not have grounds for refusal.

In the privacy policy, it is recommended to specify in detail the legitimate interest of the company for data processing. Why? As we have already said, the subject has the right to object only to treatments based on a legitimate interest.

The right not to be subject to automatic decision-making

According to article 22 of the Regulations, this decision is based on an automated process. Simply put, situations where a robot decides the fate of a person.

You should pay attention to two points. First, if the company uses automated solutions, this must be specified in the privacy policy. Secondly, it is necessary to specify how the subject’s right to access their personal data will be implemented.

Let’s look at an example. Previously, insurance premiums for clients were calculated by an algorithm using a given formula. No, this doesn’t mean that now that the rules of Regulation apply, you need to hire an employee who will count everything manually. It is enough to appoint a responsible person so that they can track how relevant the decision was made and, if necessary, correct it.

Unfortunately, the Regulations do not contain instructions on the extent to which automation can continue, so you need to be prepared that clarifications may be made soon.


The right to compensation

In addition to the fine for violating the GDPR rules, the company is also required to pay compensation to the data subject if they so request. This right to compensation for moral and material losses for subjects is provided for in article 82 of the Regulations.

In addition, subjects have the right to defend themselves in a class action. For example, as a result of violation of the processing rules, 5 million people were affected, each of them suffered damage in the amount of 100 euros. Non-governmental associations and non-profit organizations specially created to protect the rights of subjects can represent these subjects in court and file class actions in court to recover compensation.

At one of the congresses on personal data protection in Brussels, representatives of a British law firm shared their experience. The company has established a non-profit organization to file class-action claims for compensation. According to lawyers, the GDPR rules created a “perfect storm” for Association. Today, European human rights organizations also have a material interest in protecting the rights of subjects: the larger the amount of a class action, the more substantial the fee for legal services rendered.

Right to lodge a complaint with a supervisory authority

Article 77 of the Regulations that the subject has the right to apply for protection to the Supervisory authority. This right can be exercised at the place of residence, work, or location of the violation.

For example, the subject lives in Austria, goes to work in Germany, and the company that violated his rights is located in France, which means that he can choose the country to apply to. At the same time, the Supervisory authorities have the opportunity to jointly investigate one complaint.

Data subjects from outside EU also have the right to appeal to the Supervisory authorities if European companies violate their rights. However, this right can only be exercised at the place where the rules are violated. For example, if you are located in Moscow and the rules were violated by a company located in Germany, then you need to file a complaint with the German Supervisory authority.

If the decision of the Supervisory authority does not satisfy the subject, he has the right to appeal it in court.

The course is loading, wait a few seconds