Last week I wrote a blog about how the UK and the Irish regulators are being more lenient if you need more time to respond to requests under the GDPR. That blog did not describe or explain those requests. As mentioned in last Friday’s blog on GDPR terminology, there are eight individual rights set forth in the GDPR. Each of these eight rights will be the subject of its own blog in the next several weeks. The purpose of today’s blog is to introduce you to each of these individual rights:
- The right to information (Articles 13 and 14 requires the controller to provide to the individual certain information when personal data are collected from him or her and from third parties concerning him or her)
- The right of access (Article 15 requires the controller to tell the individual whether personal data concerning him or her are being processed and if it is being processed, to give access to that personal data and certain other specified information)
- The right to rectification (Article 16 requires correction of inaccurate and incomplete personal data)
- The right to erasure (the right to be forgotten) (Article 17 requires the controller to erase personal data when certain circumstances exist)
- The right of restriction (Article 18 requires the controller to limit processing when one or more of certain conditions exist)
- The right to data portability (Article 20 requires the controller to give the individual personal data concerning him or her in a specified format under certain circumstances)
- The right to object (Article 21 requires the controller to no longer process personal data concerning him or her when the individual objects on certain specified grounds)
- The right not to be subject to automated decision-making, including profiling (Article 22 requires this right when an automated decision produces legal effects concerning the individual or similarly significantly affects the individual)
As mentioned in last week’s blog, for the rights set forth in Articles 15 to 22, the controller needs to identify the individual making the request and should inform the individual of the action it has taken on his or her request within 30 days. A two-month extension of the 30 days may be obtained for complex or numerous requests if the controller notifies the individual of the extension within one month of receiving the request. Neither the UK nor the Irish regulator will penalize organizations that are unable to respond to these requests within the time limit set by the GDPR because of COVID-19. A request made by electronic means must be responded to by electronic means unless the individual requests otherwise.
The controller should inform the individual within one month of the reasons it is not taking action on an individual’s request and of the possibility of lodging a complaint with a supervisory authority, and information provided and actions taken under Articles 13 through 22 must be done free of charge. If the requests are manifestly unfounded or excessive, particularly because they are repetitive, then the controller may charge a reasonable fee or refuse to act on the request.
The controller must communicate the actions taken under Articles 16 to 18 to each recipient to whom the personal data have been disclosed unless it is impossible or involves disproportionate effort. The controller must inform the individual about those recipients if the individual so requests.
There are different requirements for different individual rights. Keeping these distinctions straight can seem overwhelming. Not to worry! GDPRsimple has an Individual Rights Request Manager that helps SMEs handle requests. Built into the Individual Rights Request Manager are the GDPR specific and general requirements for each type of request so it is easy for SMEs to comply with these requirements as each request is handled.
This blog is the first in a series of blogs that describes and explains the eight individual rights set forth in the GDPR. If you don’t want to wait until the next blog to learn more about the GDPR and the individual rights in the GDPR, take a look at GDPRsimple, http://www.keepgdprsimple.com, an automated web and mobile tool, that can help SMEs implement the GDPR and demonstrate their implementation.
Next blog: The right of information – What types of privacy notices are there?