There are some procedural and some substantive commonalities between the rights to access, rectification, erasure, restriction, portability and object.
Let’s discuss the similarities among all six rights first:
- The controller must ascertain the identity of the individual making the request. If the controller does not have the information to determine the identity of the individual making the request, then the controller must inform the individual, and the individual must provide the information. If the individual does not provide the information, then the controller is not required to process the request.
- The controller must provide information on the action taken on a request to the individual within one month of receipt of the request. That period of time may be extended by two months where necessary if the request is complex or numerous. Within one month of receipt of the request, the individual must be informed of any extension and the reasons for the extension.
- Where the individual makes the request electronically, the information must be provided electronically, unless the individual requests otherwise.
- If the controller does not take action on the individual’s request, the controller must notify the individual within one month of receipt of the request of the reasons for not taking action and of the possibility of lodging a complaint with the supervisory authority and of seeking a judicial remedy.
- All actions in response to these requests must be provided free of charge. A reasonable fee may be charged where requests from an individual are manifestly unfounded or excessive.
Similarities among the rights to rectification, erasure and restriction are:
- Where the controller has disclosed personal data to recipients, the controller must communicate any rectification or erasure of personal data or restriction of personal data to these recipients. This communication does not have to take place if it proves impossible or involves disproportionate effort.
- If the individual requests whether his or her personal data has been disclosed to such recipients, the controller must inform the individual about these recipients.
Similarities among the rights of access and to portability:
- The right to obtain a copy of personal data undergoing processing does not apply if it adversely affects the rights and freedoms of others.
- The right to receive personal data concerning the individual which the individual provided to the controller, in a structured, commonly used and machine-readable format, and the right to transmit those data to another controller do not apply if they adversely affect the rights and freedoms of others.
This blog is the fourteenth in a series of blogs that describes and explains the eight individual rights set forth in the GDPR. If you don’t want to wait until the next blog to learn more about the GDPR and the individual rights in the GDPR, take a look at GDPRsimple, http://www.keepgdprsimple.com, an automated web and mobile tool, that can help SMEs implement the GDPR and demonstrate their implementation.
Next blog: Has any guidance been issued on the individual rights?