Last article was devoted to the principles concerning controller’s duties. On contrary, today’s principles will express what data subjects may call for.
Personal data must be accurate and kept up to date, in other way it should be deleted or amended. So far nothing new in comparison with the Directive. The controllers must make sure to comply with this principle, as they must consider it with due regard to “the state of the art”. This means using technologies at the highest level of development. There are obvious risks to data subjects if inaccurate data are processed. Therefore, controllers are responsible for ensuring the accuracy.
“The Right of access” Controllers are obliged to provide data subjects with access to their personal data and data subjects are given a disposal of their data. The right consists of three particular requirements. Individuals have the right to know the details of data processing as well as to access them in appropriate way and get other supplementary information about all their rights granted by GDPR.
Example: In case of bank client asking for access to his personal data, after verification of the client, the bank must provide a copy of the personal data undergoing processing. Free of charge and without delay. An electronic request should receive answer in an electronic form. The bank may provide to enter a secure system which would grant data subject direct access to his data. Beside the basic information, the client must be informed about the rights to erasure, to rectification, to restriction of processing and to object to processing. He should also know about the right to complain to the Data Protection Authority (DPA) and information about profiling.
“The Right to rectification” Controllers must ensure that inaccurate or incomplete data are erased or rectified. This right is naturally joint with the “Right of notifying third parties regarding rectification, erasure or restriction”. Full effect of the right of data subjects could only be possible by establishing the awareness of all processing parties, that the data subject has exercised those rights. The controllers must notify any third parties with whom they have shared the relevant data. The data subject is also entitled to request to know the identities of those third parties.
Example: A bank client asks for and is granted with the access to his personal data, only to find out it is incorrect. The bank must carry out his demand by rectifying inaccurate data and also notify every other processor of the data on behalf of the bank. The bank must inform the client of executed rectification itself as well as third party processors identities.
Data retention periods
The key idea to ensuring fair processing is that the personal data should not be retained for longer than necessary in relation to the purposes for which they were collected, or are still being processed. Once you no longer need personal data for such purpose, you should delete them unless you have other reasons for retaining them. This means there should be a regular review with methodical cleansing of databases. Identity management software with proper lawful basis managing tool may definitely help to automate those reviews and provide reporting of compliance.
“The Right of data portability” Data subjects have the right to transfer their personal data between controllers. A copy of their personal data must be in a commonly used machine-readable format. For some organizations such right may be a significant burden, requiring an investment in new systems and processes. However, for others this might be the opportunity to attract customers from competitors. Data portability right applies for the processing based on consent or for the performance of a contract, where processed by automated means.
Example: A bank client is interested in a product of another bank. GDPR gives the client an advantage in such situation. The bank has to provide data to the client or transmit it directly where he asks to, if this is technically feasible. The technical feasibility may often be problem, because organisations are not bound to use software compatible with others’. The format of data is up to the banks, but it must be machine-readable.
“Time limits for complying with the rights of data subjects” Controllers are obliged to give effect to the rights of data subjects within specified time periods. Within one month of receiving a request the controller must provide any requested information in relation to any of the rights of data subjects. If the controller fails to meet this deadline, the data subject may complain to the relevant DPA and seek a judicial remedy.
The discussed rights present massive challenges for controllers, especially in bigger organizations. It is hard to imagine achieving the compliance by resolving all issues and requirements manually. But think about possibilities with proper identity management deployment in use!