Skip to content

6.0 - Data Subject Rights

6.1 - Access

  • Article 15 of GDPR
  • Data subjects may request access to data held regarding them via access requests
  • These are generally free of charge, unless repetetive of nature
  • Data subjects can also request a copy of any personal data being processed
  • Data considered aligns to multiple categories:
  • Expanded with GDPR
  • Includes data retention, existence of data, and provider of data
  • E.g. You could request any employee data by a previous or current employer e.g. contact, reviews, etc.

6.2 - Correction

  • Article 16 - allows the right to request correction to any inaccurate or incorrect data
  • This applies to any personal data associated with the data subject
  • Requires a supplementary statement outlining the change(s) needed and their reasoning
  • If the information is provided to a third party, then those corrective actions must be passed onto the third party(ies); the subject must be made aware of the party's involvement
  • Data controllers have 1 month to respond, but extensions may be requested in the event of complex requests
  • If no response is provided, organisations must outline why and give the subject sufficient information regarding complaints process; should the subject wish to do so.
  • Example: Correcting a witness statement in a criminal investigation

6.3- Right to be Forgotten

  • Article 17 of GDPR
  • Data subjects are entitled to require deletion if continued processing is no longer justified
  • Erasure requests are allowed based on 5 scenarios:
  • Purpose: If the data is no longer needed for its orginal purpose, and no new lawful purpose exists
  • Consent: If original processing was based on consent and the data subject withdraws their consent
  • Objection: If the data subject objects to the processing and their is no overriding reason to continue processing
  • Lawfulness: If processing was done illegally, it must be deleted
  • Compliance: If the erasure is to be done in compliance with governent law.

6.4 - Objection

  • Article 21 of GDPR
  • Only applies when the lawful basis is public or legitimate interest e.g. if used for marketing/scientific/research purposes
  • Can apply to subsets of personal information, or all, or the information used with a specific purpose
  • Controller must cease processing unless 1 of 2 exceptions are met:
  • Requirement: If the controller requires the processing to establish, exercise, or defend legal rights
  • Grounds: There is a compelling, legitimate ground for processing that overrides the data subject's interests

6.5 - Children's Data Age 13-16

  • Article 8 of GDPR
  • Children require parental consent for information services offered directly to children under the age of 16
  • Member states can individually set this age as low as 13
  • Any data that is processed, or any notices sent out regarding data processed in relation to children aged 13-16, must be in a child-friendly manner - this means any communications around the data must be done in a way children can understand
  • The information provided must be:
    • Concise
    • Transparent
    • In plain language
  • The above is especially important for any communications addressed specifically to children.

6.6 - Portability

  • Article 20, the right to transfer their data
  • Data subjects are entitled to transfer their personal data between controllers
  • 4 Scenarios where this can occur:
  • Copies: Controllers are required to provide copies in a format individuals can use in a normal way (and should be machine-readable)
  • Transfer: Controllers must be ready to transfer data between controllers without hinderance to one another
  • Storage: Storage of their data on a personal device
  • Data transmission: When data subjects request direct transfer of their data from one controller to another
  • Inferred or derived data is not included within this, as they're outcome-based data

6.7 - Prompt Response

  • Controllers must respond to all requests within a reasonable timeframe
  • For requests, controllers must respond within 30 days and provide any requested info in relation to any of the rights of the data subject
  • The response process should be automated where possible via technical means, for efficiency.
  • Responses should be made in writing or electronically
  • A verbal response is allowed, but data subject identity must be proven prior to response deliverance
  • If the controller has a large number of requests or the request is complex, they may request up to 2 additional months to respond.