The Eight User Rights Under the GDPR
The GDPR may be legislation aimed at data controllers (and businesses), but it's data subjects that are truly at the core of the text.
All the rules, restrictions, and requirements placed in the GDPR share the aim of protecting data subjects (or users) and upholding their rights.
The GDPR explicitly states its commitment to European citizens and data subjects early on in the legislation. Chapter 3 of the GDPR records those rights as the Rights of the Data Subject.
Chapter 3 outlines eight distinct rights that all Europeans are entitled to and that your organization must uphold through your data practices. The eight user rights are:
- The Right to Information
- The Right of Access
- The Right to Rectification
- The Right to Erasure
- The Right to Restriction of Processing
- The Right to Data Portability
- The Right to Object
- The Right to Avoid Automated Decision-Making
- 1. 1. The Right to Information
- 2. 2. The Right of Access
- 2.1. Provide a Method for Data Requests
- 3. 3. The Right to Rectification
- 3.1. Processes for Rectification
- 4. 4. The Right to Erasure
- 4.1. Do I Have to Comply with a Right to Erasure Request?
- 4.2. How to Share a Data Subject's Right to Erasure
- 5. 5. The Right to Restriction of Processing
- 5.1. What the Right to Restrict Processing Looks Like
- 6. 6. The Right to Data Portability
- 6.1. How to Comply with the Right to Data Portability
- 7. 7. The Right to Object
- 7.1. Disclosing the Right to Object
- 8. 8. The Right to Avoid Automated Decision-Making
- 8.1. Deploying the Right to Avoid Automated Decision-Making
- 9. Summary
1. The Right to Information
The first of the eight rights lies in Articles 13 and 14 of the GDPR. Article 13 refers to information that you must provide when you collect personal data directly from data subjects. Article 14 covers your responsibilities when you obtain data about the data subject from a third party or indirectly.
It holds that the data subject has the right to ask a data controller what kind of data they process and why the data controller needs it.
What kind of information do you need to provide?
Article 13 holds that you must provide the following information when you collect their data (not after):
- Controller identity and contact details and those of the controller's EU representative (if applicable)
- Data Protection Officer contact details (if a DPO was appointed)
- Legal basis for processing and purposes of processing
- Country where the processing occurs
- Legitimate interests of the processor and third parties
- Any recipients of personal data
- Any intention to transfer personal data outside the specified processing place and to a third country (particularly if the country is outside the EU)
- Data retention policy (how long data is stored)
- Explanation of rights to rectification, erasure, restriction of processing, and portability
- Explanation of right to withdraw consent
- Explanation of right to complain to the relevant supervisory authority
- If data collection is a contractual requirement and any consequences
- Existence of profiling and other types of automated decision-making and information about the logic behind them
Article 14 states that you need to provide the same information even if you don't collect the data directly from a data subject.
The right to information is very broad. A data subject can ask what personal data you collect generally, what processors the controller works with, and how the data gets used.
In addition to providing all these details, it must be:
- Easy to find
You must use language that the average person can read and understand (usually a high school reading level). If your site attracts younger visitors, the GDPR expects you to go a step further and write in the appropriate level as a your youngest user (usually the age of consent in the countries where you operate).
In addition to details about your data processing activities, you also need clauses that reflect:
- Third-party disclosures
- Cross-border data transfers
- Data Protection Officer (DPO) (if applicable)
- User access request mechanisms
- User rights
Here are a few examples from current Privacy Policies that reflect not only the new required clauses but also the goals of being concise, intelligible, easy to find, and transparent:
Nuffield Health, who processes special categories of data as a health service provider, offers a good example of times when it might disclose personal data to third parties:
Lloyd's Bank provides the conditions upon which it will send your personal data outside of the European Economic Area (EEA). It meets the condition that any transfers meet the same legal requirements placed on data within the EEA:
It also added a clause on the consequences of not providing data, which is also required by the GDPR. In this case, the university warns that it could hold incorrect or incomplete records, which could cause headaches for students and staff.
Finally, John Lewis, a retailer, discusses the mechanisms by which data subjects can withdraw their consent for direct marketing including clicking unsubscribe links, changing preferences in the "My Account" area or writing to the company:
- Answer the questions related to your entity type and location.
- Answer the questions relating to what type of information you collect from your users.
2. The Right of Access
Article 15 outlines the first named right found in the GDPR: the right to access.
The right to access allows the data subject to access the personal data belonging to them that you process.
What does the GDPR say customers have a right to access? In addition to asking specifically about their personal data file, they can ask about:
- Why and how you process the data
- Categories of personal data involved
- Who sees the data (including and especially in countries outside the EU)
- How long you intend to store the data
- How to exercise their rights
- Any available information to the source of data when you do not collect the data from the data subject
- Your use of profiling and automated decision-making
The right to access adds an extra layer of transparency to your processing activities because it allows data subjects to confirm what data you have compared to the data you say you have. It also sets them up to exercise further rights, like the right to rectification or the right to erasure.
You should know that the law allows data subjects to request a copy of the data at no cost to them. However, if they request multiple copies, you can begin to assess a "reasonable fee based on administrative costs." In other words, you can't ask for an amount of money that would prevent the user from upholding their rights or be seen as punitive.
Provide a Method for Data Requests
You can choose an existing method or create something new and GDPR-specific.
Alternatively, the University of Manchester created a Subject access request form for data subjects to fill out and provide. It also accepts requests emailed to a data protection office email address:
Don't for to respond to all access requests. See our article for guidance: How to Handle Privacy Access Requests Under the GDPR.
3. The Right to Rectification
Article 16, the right to rectification, provides European data subjects with the right to change or modify the data they provide you when they believe the data is inaccurate or out-of-date. You need to provide this "without undue delay."
The right to rectification also goes hand-in-hand with one of the six GDPR Privacy Principles - Data Accuracy - because it places added emphasis on the need for keeping accurate data.
Why is holding accurate data so important for you and your data subjects? Because incorrect data threatens the privacy of other individuals.
For example, if you hold data subject phone numbers, you need to acknowledge that people change their phone numbers from time to time. If you hold old phone numbers that were then given away to new customers, you risk contacting a customer who didn't provide consent.
Holding data and contacting customers without their consent is a GDPR violation.
Moreover, holding outdated or inaccurate data is bad for business. You aren't learning about or reaching your customers if half your email address list bounces.
Processes for Rectification
You need a way for data subjects to come to you with requests to update the data you hold about them.
For many companies, data subjects can update their information on their own time through a customer account and profile.
However, you should also provide a mechanism for the subject to exercise their right either verbally or in writing.
Delta makes it easy to update information or correct bad information by allowing users to do it themselves and by providing a number to call for issues they can't correct through their online profile.
4. The Right to Erasure
Article 17 describes the user right to erasure, which is better known as the right to be forgotten.
The article says that the data subject has the right to ask a data controller to erase their data without undue delay in the following circumstances:
- "The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed"
- "The data subject withdraws consent on which the processing is based..."
- "The data subject objects to processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing"
- "The personal data have been unlawfully processed"
- "The personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject"
When you make the decision to erase a data subject's data according to the right to erasure, you also need to share the request. All other controllers or processors with whom you have a contract also need to be aware of the erasure so that they can also erase:
- Links to...
- Copies of...
- Replication of the personal data
Do I Have to Comply with a Right to Erasure Request?
In some cases, you do not need to comply with a request to access the right to erasure. The GDPR outlines these circumstances as follows:
- When your processing involves as a right to the freedom of expression and information
- When your processing involves compliance with a legal obligation and the public interest
- When your processing includes reasons of public interest within the realm of public health
- When your processing meets the guidelines published in Article 89(1) (or public interest, historical or scientific purposes, or statistics purposes)
- When your processing is for the "establishment, exercise, or defence of legal claims"
If your processing falls under one of these categories and you can demonstrate the case, then you can deny the request for erasure by citing the necessary reason for the rejection in your notice.
How to Share a Data Subject's Right to Erasure
Right to erasure is a complex right that's worth getting to know so as to avoid falling on the wrong side of the law.
In addition to declaring the right to erasure, you should list any reasons why you might not comply with the request as well as how to exercise it.
It says customers can request deletion by contacting Northern:
This is a simple and clear way of letting your users know how to exert their rights.
5. The Right to Restriction of Processing
Article 18 outlines the data subject's right to request the restriction of processing under certain conditions. That means you must temporarily stop processing their data as requested as long as their requests meets one of the following:
- The data subject contests the accuracy of the data
- The data subject objects to unlawful processing and the data subject prefers you to restrict the processing rather than erasing their data
- The data controller does not need the data for processing but they need to keep the data pursuant to the "establishment, exercise, or defence of a legal claim"
Article 18(3) states that if you temporarily stop processing data, then you must inform the data subject before lifting the restriction and resuming the processing, if you choose to do so.
What the Right to Restrict Processing Looks Like
To get started, you'll need a method for recognizing and acknowledging the right to restrict processing so that you can honor requests. The right also comes with more communication than others might because it may warrant an investigation as well as several follow-up notices saying that you temporarily suspended processing and informing the subject you started up again.
It provides a direct link to the UK's Information Commissioner's Office for a fuller explanation of the rights.
Further detailed information is set out below the list as noted. Here's the relevant details for the right to restrict processing:
6. The Right to Data Portability
The right to data portability outlined in Article 20 refers to the data subject's right to receive the personal data held by the data controller in a commonly used format and send the data to another controller or use it for their personal purposes, under certain circumstances.
The law says:
"The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided"
There are conditions to this. It only applies in situations where:
- Processing is based on consent or a contract, and
- Processing is done with automated means
Data portability sounds strange. Why would your customers want a copy of their data to send to another company? It is true that the right is a novelty, but experts say that data portability also creates a more user-centric privacy experience and encourages businesses to remain competitive and strive for platforms that coincide with each other.
How to Comply with the Right to Data Portability
To comply with the right to data portability, you need to have a policy in place to receive and recognize the request if it ever comes to you.
Additionally, you'll need to meet technological requirements to do it safely. You need to be able to send the data to the subject's requested controller in a structured format, using a secure method, and within a month of receiving the request.
It notes the "right to move, copy or transfer your personal data ('data portability') and directs users to the relevant email address to make the request.
Note that the email address is customized for such requests as it's "[email protected]" instead of a general contact email address. This isn't necessary but it's a nice touch and will help ensure data rights requests don't get lost in a general inbox.
7. The Right to Object
Article 21 outlines what is known as the right to object.
In simple terms, it says that data subjects have the right to object to your data processing, including profiling, when it is on relevant grounds.
If a data subject uses their right to object, the GDPR says that:
"The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims."
Do you engage in direct marketing? If so, Article 21(2) says the data subject can object at any time when the processing you do relates to direct marketing, and you must comply. For example, if a data subject unsubscribes from your marketing emails, you must not send them any more emails until and unless they provide consent for you to do so.
The GDPR takes the right to object seriously. You need to share the right to object with every data subject ASAP or "at the latest at the time of the first communication with the data subject."
The only real exceptions to the rule are when you process data for research purposes (historical, scientific, or statistical) and in cases when the data is essential for the public interest.
Disclosing the Right to Object
Another example from Delta Airlines demonstrates a well-thought out meaning of the right:
The clause notes that:
- Customers can object at any time when the objection relates to marketing
- Customers can object when the data processing is in Delta's interest and Delta must suspend the processing
- Delta has the right to establish grounds for continued processing that allow it to continue using the data
8. The Right to Avoid Automated Decision-Making
The eighth and final right offered by the GDPR lies in Article 22: Automated decision-making, including profiling. It says:
"The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly affects him or her"
The right to avoid automated decision-making comes with three exceptions when it cannot be exerted:
- When automated decision-making is necessary to enter into or complete a contract
- When the control has authorization from the EU or a Member State and uses safeguards to protect the subject's interests and freedom
- When the profiling or decision-making occurs with the subject's explicit consent
Although the GDPR applies to any and all individual decision-making, the most common examples that the right supports tend to be financial. For example, if you are a EU resident who applies for a loan using a bank's online application, then you can appeal the decision because the outcome impacts your legal rights and freedoms.
If you use automated decision-making in any form, you need to identify it and then:
- Tell data subjects you use it
- Create ways to request human intervention
- Update and maintain your systems to avoid malfunction
Deploying the Right to Avoid Automated Decision-Making
Generally, you'll need to do three things to uphold the eighth user right.
First, you need to complete a Data Protection Impact Assessment (DPIA) for your current and any future profiling or automated decision-making tools. Your DPIA should also ensure there are checks in place to protect children and other vulnerable groups.
Second, you need to share how the decision-making process works and how you access the data subject information used for profiling.
Third, you need to explain to customers that you use the mechanism and why it is relevant to your legal processing basis.
Bank of Ireland uses automated decision-making as part of its core work when making lending decisions, so it dedicates an entire section of its Data Privacy Notice to the topic:
The section clearly describes the processes, including what data it uses to complete the process.
To supplement this, Bank of Ireland also created a Data Subject Rights page that provides mechanisms for each right including the right to object to profiling:
GDPR logistics may largely apply to businesses (as data controllers and processors), but the spirit of the law lies in protecting your customers and data subjects.
Each of the user rights reflects the principles of accountability and transparency woven through the entire text of the legislation. Each principle allows data subjects to not only see what data you have but it allows them to update it appropriately and even stop you from processing it in some cases.