In part 1 of this article, we warned about the looming deadline of 25 May 2018, the date by which the GDPR becomes enforceable. Part 1 of the article dealt with the scope of the GDPR. It also discussed how the GDPR introduces one single set of rules that applies in the whole of the EU, what the lawful bases of processing private data are, and about parties’ responsibility and accountability.
In part 2 of this article, we will first have a closer look at the most important ‘Digital Rights’ the GDPR introduces: The Right of Access (art. 15), the Right of Correction / Rectification (art. 16), and the Right to Erasure (art. 17), and the Right of Data Portability (art. 20).
Right of access by the data subject (Article 15): As the name says, the Right of Access is a data subject right. It gives EU inhabitants the right to get access to their personal data and to information about how these personal data are being processed. Upon request by the data subject, a Data Controller must provide an overview of the categories of data that are being processed (Article 15 (1) (b)), as well as a copy of the actual data (Article 15 (3)). The Data Controller must also inform the data subject on the details about the processing such as: what the purposes are of the processing (Article 15 (1) (a)), with whom the data is shared (Article 15 (1) (c)), and how it acquired the data (Article 15 (1) (g)).
Right to rectification (Article 16) and the Right to Erasure (Article 17): As was the case under the old Data Protection Directive, the data subjects also have the right to obtain from the Data Controller the correction of inaccurate data, and the completion of incomplete data, without undue delay (Article 16). In a famous case, the EU Court of Justice had ruled in 2014 that EU inhabitants also had a right to be forgotten. In the GDPR, this right to be forgotten was replaced by a more limited right to erasure. Article 17 provides that the data subject has the right to request erasure of personal data related to them on any one of a number of grounds including non-compliance with article 6.1 (lawfulness) that includes a case (f) where the legitimate interests of the controller is overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
Right of Data Portability (Article 20): The British Information Commissioner’s Office (ICO) summarizes the right to data portability as follows: [it] “allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability. It enables consumers to take advantage of applications and services which can use this data to find them a better deal, or help them understand their spending habits.” The right applies both to data that has been ‘provided’ by the data subject, as well as data that has been ‘observed,’ such as information about their behaviour. The Data Controller must comply with the data subject’s request, and must provide the data in a structured and commonly used Open standard electronic format.
The GDPR contains far more regulations, e.g., on data breaches (art 33-34), on the Data Protection Officer (art. 37-39), on sanctions and pseudonymisation, but those are beyond the scope of this article.