Data subject's right

Question 1

What is the aim of the provisions granting data subject rights?

Answer 1

To even the power between the controller/processor and data subject and to give subjects the ability to exercise greater control over the processing of their personal data.

Question 2

What rights do data subjects have in regards to information and access?

Answer 2

Article 12 - Any information relating to processing (in particular information referred to in articles 13-14, 15-22 and 34) must be given to the data subject in a clear, intelligible and easily accessible form.

Article 13 - Information when data collected from the subject; about the controller, DPO, the processing of data, any recipients and intentions of transfers + rights

Article 14 - Information to subject when not collected from them; almost same as 13

Article 15 - Right of access to purposes of processing, categories of data, recipients, storage period, existence of rights to rectification, erasure and restriction

Question 3

Can a data subject have inaccurate data rectified or erased?

Answer 3

Article 16 - Right to rectification of inaccurate data - if regarding legally significant matters (like legal identity) the controller can ask for proof.

Article 17 - Right to erasure of data

• when no longer necessary in relation to the purposes,
• after withdrawal of consent,
• after an objection to the processing,
• data being unlawfully processed,
• for compliance with a legal obligation to which controller is subject
• in relation to offer of information society (underage)

Where data are made public by controller - reasonable measures to inform other controllers that data must be erased.

Opposing interests
- Freedom of expression and information, compliance with legal obligation, performance of task carried out in public interest, public interest in the area of public health, archiving purposes, legal claims

Question 4

When does a data subject have a right to restriction of processing?

Answer 4

Article 18

• When accuracy is contested
• Where processing is unlawful (instead of erasure)
• Controller no longer needs the data for processing, but the data are required by the data subject for the establishment, exercise or defence of legal claims
• Subject has objected and is awaiting the verification whether the legitimate grounds of the controller override those of the data subject

Article 19
Controller shall notify each recipient about the rectification, erasure or restriction of data, unless impossible or disproportionate.

Question 5

What is the right to data portability?

Answer 5

Article 20
When processing is based on consent or on a contract, the data subject has the right to receive the data about him being processed and to transmit it to another controller - if technically feasible, directly from controller to controller.

Data in a structured, commonly used and machine-readable format so as to enable the actual transfer and have the data be intelligible to the new controller.

Recital 68: Controllers should be encouraged to develop interoperable formats - the provision does not, however, create an obligation for controllers to adopt or maintain processing systems which are technically compatible.

WP29: Old controller not responsible for new controller’s compliance.

Question 6

When can a data subject object to the processing of his personal data?

Answer 6

• On grounds relating to his particular situation when processing based on public interest or controller’s legitimate interest. Processing may only continue if controller demonstrates compelling legitimate grounds that override the interests/freedoms/rights of subject or for legal claims.
• Direct marketing purposes

Question 7

What does Article 22 grant the data subject?

Answer 7

The right to human intervention in the event of a decision based solely on automated processing, which produces legal effects or similarly significant effects (creditworthness, e-recruitment, performance of work, analysis of conduct or reliability)

Exceptions

• Decision is necessary for entering into or performance of a contract
• Authorised by Union or MS law with suitable measures to safeguard
• Explicit consent

Question 8

Can MS provide for restrictions of the rights? Article 23

Answer 8

Articles 12-22 (rights) and Article 34 (communication of data breach to subject) can be restricted as long as it respects the essence of the fundamental rights/freedoms
and is necessary and proportionate in a democratic society to safeguard

• national security
• defence
• public security
• fighting crime
• other important objectives in public interest
• procetion of judicial independence and proceedings
• fighting breaches of ethics
  etc etc.