In this blogpost we will talk about the rights of data subjects. The GDPR introduces some new rights, and expands the already existing ones. As a company it is crucial to understand these rights, as they might have a big impact on your processes and systems. Let’s discuss some of the most important rights of data subjects under the GDPR:
The right of access (recital 63 and article 15 of the GDPR)
Data subjects have the right of access to their personal data. A complete list of the information your company must be able to provide can be found in article 15 of the GDPR.
The right of rectification (article 16 of the GDPR)
Data subjects have the right to rectification of inaccurate personal data. As a company, you must erase or rectify inaccurate personal data from your systems on the request of the data subject.
The right to erasure (article 17 of the GDPR)
Data subjects have the right to be “forgotten” under certain circumstances, which can be found in article 17(1) of the GDPR. This means your company must be able to delete a person’s personal data from your systems. Under certain circumstances your company must keep some or all of the personal data. These circumstances can be found in article 17(3) of the GDPR.
The right to restrict (article 18 of the GDPR)
Data subjects have the right to restrict the processing of their personal data under certain circumstances, which can be found in article 18 of the GDPR.
The right of data portability (article 20 of the GDPR)
The data subject has the right to request his/her personal data from a controller, so he/she can transmit it to another controller without hindrance.
The right to object (article 21 of the GDPR)
A data subjects has a right to object to the processing of their personal data. Pay extra attention to this right if your company uses either “public interest” or “legitimate interests” as the lawful basis for processing personal data. Article 21 of the GDPR explains this right in more detail. Under the right circumstances, if your company can show that it has compelling/legal grounds to continue the processing, you do not have to stop your processing activity.
As a company you must meet these requests of data subjects, but it is very important to identify the data subject before you act upon his/her request. When a request is made, you have one month to provide the requested action, and should do so free of charge. And, as always under the GDPR, you must provide all information concise, transparent, intelligible and in an easily accessible form, using clear and plain language.
We hope you found our blog informative so far. In our next blogpost we will discuss the (new) obligations of organizations under the GDPR.
For more info about Trueson services, we recommend having a look here.