GDPR Series#5: Empowering Individuals Under GDPR

GDPR Series Empowering Individuals

Protecting individuals’ data rights and privacy is the core tenet of GDPR. It strives to empower individuals with complete control over their data, including information on where it is stored, how it is used, and with whom it is shared.

In this article of our GDPR series, we deeply examine the provisions that empower individuals to manage their data preferences.

GDPR Provisions

Chapter 3 of GDPR handles the rights of the data subjects. Specifically, articles 12 to 23 discuss what individuals can do to safeguard their data. Here’s a brief rundown of each article.

Article 12 – Transparent Information and Communication

You must provide data subjects with clear and easily accessible information about data processing activities, rights, and any actions taken under articles 15 to 22 and 34. You must use concise and plain language, offer it free of charge, and provide it in writing or orally upon request.

Article 13 – Information on Personal Data Collection

While collecting personal data, you must provide data subjects with specific information like

  • Your identity and contact details
  • Purposes and legal basis for processing
  • Data recipients
  • Details about data transfers.
  • Data retention periods
  • Right to withdraw consent
  • The process to file a complaint.

Article 14 – Information When Personal Data is Not Collected

While collecting personal data from other sources, you must provide the following information to data subjects.

  • Your identity and contact details
  • Purposes, legal basis, and categories of personal data.
  • Intended recipients, data transfers to third countries, and safeguards used.
  • Data subjects’ rights.
  • Source of the data
  • Right to raise a complaint.

Article 15 – Right of Access

Article 15 grants data subjects the right to access their data. When they request information about how their data is processed, recipients, storage period, data sources, and automated decision-making, you must provide it. You can charge a reasonable fee for additional copies if needed, and the information should be in a commonly used electronic format when requested electronically.

Article 16 – Right to Rectification

Data subjects can request to rectify inaccurate data, and you must take immediate action to fix them.

Article 17 – Right to Erasure

Data subjects can request you to erase their data, withdraw consent, and object to processing. Accordingly, you must take reasonable steps to remove data and inform other entities processing this data.

Article 18 – Right to Restriction of Processing

Any data subject can restrict the processing of their data when

  • Their data is not accurate
  • Unlawful processing
  • You no longer data need the data, but it is required for legal claims by the data subject
  • Pending verification of your legitimate interests.

When processing is restricted, you can process the data only with the data subject’s consent or for legal claims. Also, you must inform them before lifting the restriction.

Article 19 – Notification Obligation

This article requires you to inform recipients and other data processors and controls when you receive requests for rectification, erasure, or restriction of processing under articles 16, 17, and 18.

Article 20 – Right to Data Portability

Data subjects have the right to receive the personal data shared with you in a structured, commonly used, and machine-readable format. They can also transmit this data to another entity without interference.

Article 21 – Right to Object

Data subjects can object to their data processing based on public interest tasks or legitimate concerns like profiling. In such cases, you must stop processing unless there are compelling legitimate grounds to continue.

Article 22 – Automated Decision-making

This article gives data subjects the right to not be subject to decisions based solely on automated processing. However, this rule may not apply to legal contracts, including profiling. This right doesn’t apply if the decision is necessary for a legal contract. In such cases, you must provide safeguards, including human intervention, an opportunity to express their viewpoints and contest the decision.

Article 23 – Restrictions

The Union or member states can enact legislation restricting you from any data processing activities mentioned in this chapter. This legislation may be necessary for national security, defense, public security, prevention of criminal offenses, and to meet general public interest objectives.

As you can see, data processing restrictions are central to GDPR, and hence violations can attract heavy penalties. You must take all possible precautions to protect the above rights.

10 Tips to Handle the Rights of Data Subjects

Below are some things you can do to protect the rights of data subjects and comply with GDPR:

  1. Develop comprehensive policies to handle requests for access, rectification, erasure, and other data subject rights.
  2. Regularly train your employees to help them handle requests from data subjects promptly and appropriately.
  3. Maintain thorough records of processing activities, data transfers, and interactions with data subjects regarding their rights to demonstrate compliance.
  4. Provide an easy and secure mechanism for your data subjects to submit requests for information or changes.
  5. Continuously monitor updates and changes to GDPR to ensure ongoing compliance.
  6. Use anonymized data where possible and ensure they are used for legitimate purposes only.
  7. Depending on the size and nature of your organization, appoint one or more Data Protection Officers (DPO) to oversee compliance and act as a point of contact for data subjects.
  8. Conduct regular security assessments to avoid unauthorized access or breaches.
  9. Prepare a response plan to handle data breaches.
  10. Before starting new data processing activities, assess their impact on data subjects’ privacy and take measures to mitigate risks.

These tips can protect your data subjects’ rights, help you avoid penalties, and build trust with your customers.

Final Words

In all, GDPR is designed to protect individuals’ data and empower them to decide how and where their data must be used. The provisions described in this guide throw light on their rights and provide actionable insights on how you can comply with them.

Lavanya Rathnam

Lavanya Rathnam is an experienced technology, finance, and compliance writer. She combines her keen understanding of regulatory frameworks and industry best practices with exemplary writing skills to communicate complex concepts of Governance, Risk, and Compliance (GRC) in clear and accessible language. Lavanya specializes in creating informative and engaging content that educates and empowers readers to make informed decisions. She also works with different companies in the Web 3.0, blockchain, fintech, and EV industries to assess their products’ compliance with evolving regulations and standards.

Posted in Articles

Leave a Reply

Your email address will not be published. Required fields are marked *