GDPR Receipt Type Profile: Privacy Rights vs Receipt Type ( Legal Justification)
Legal basis Subject access Rectification Erasure (1) Restriction Portability (3) Objection (4) Automated decisions
Notice | Consent Art. 6(1)(a) GDPR | Contract | Legal obligation | Vital interests | Public interest /Functions Art. 6(1)(e) GDPR | Legitimate interests Art. 6(1)(f) GDPR | Exceptions/Lmitations | Obligations/Considerations | |
|---|---|---|---|---|---|---|---|---|---|
Subject Access | √ | √ | √ | √ | √ | √ | √ | If DC holds large quantities of PD, DC can ask DS to specify what PD or processing activities for request (R63). Local law exceptions can be applied. | Cannot charge for first copy. Best practice is for DC to provide DS with remote access to a secure system to view PD (R63). Restrictions could be imposed in public interest (R73). |
Rectification | √ | √ | √ | √ | √ | √ | √ | Applicable where PD is inaccurate or incomplete. | Restrictions could be imposed in public interest (R73) |
Erasure (1) | √ | √ | -2 | -2 | If processing necessary for: freedom of expression; compliance with EU/MS laws; public interest in the areas of public health; archiving purposes in the areas of public interest, scientific or historical research, or statistical purposes; or exercise or defence of legal claims. | Right can also apply where PD no longer necessary for purpose of collection or processing is unlawful. | |||
Restriction of Processing | √ | √ | √ | √ | √ | √ | √ | Only applies where: accuracy of PD is contested, processing of PD is unlawful but DS prefers restriction to erasure; PD no longer required for purpose of processing but DS wants PD to be kept for establishment, exercise or defence of legal claims; and pending verification of legitimate interests legal basis for processing where relied upon by DC and objected to by the DS. | Where processing restricted PD can be stored without DS consent. PD can otherwise only be processed: with DS consent; for legal claims; for protection of rights of another natural/legal person; for reasons of public interest. Restriction can be implemented by: temporarily moving PD to another processing system; making PD unavailable to users; temporarily removing published PD from a website. |
Portability (3) | √ | √ | √ | Right should not: adversely affect the rights and freedoms of others; or be exercised against DC processing PD in exercise of public duties. | No duty on DCs to adopt/maintain compatible systems (R68). No prejudice to right of erasure (R68). Restrictions could be imposed in public interest (R73). | ||||
Objection (4) | √ | √ | √ | DC may be able to demonstrate compelling legitimate grounds for the processing overriding DS right. No objection allowed where processing PD is for scientific, historical research or statistical purposes in the public interest. | DS also has a right to object to processing of PD for direct marketing. Rights must be clearly stated at first communication with DS. Right to object to marketing should be presented clearly and separately from other information (R70). Restrictions could be imposed in public interest (R73). | ||||
Automated decisions making /including profiling | √ | ? | √ | √ | √ | Only applicable where automated decisions are made about individuals that produce “legal effects” or similar significant effects. | Processing should have safeguards (R71). DC should implement measures to ensure inaccurate PD is corrected (R71). Profiling based on sensitive PD only allowed under specific circumstances (R71). |
Right Limitations / Obligations
Right to erasure applies under all legal bases where personal data are no longer necessary in relation to the purpose for which they were processed or where the processing was unlawful
Erasure under these grounds requires the right to objection to be exercised first
Portability only applies where the processing is carried out by automated means
Right to objection to direct marketing applies to all legal basis
Legal Justification Limitations / Obligations
A. Contractual Task - The basis does not apply if the controller can reasonably do what it needs to do without processing. Controllers must document their decision to rely on this lawful basis document justification and ensure they can justify the reasoning.
B.
References
GDPR data privacy Rights references
Chapter 3 of the GDPR lays out the data privacy rights and principles that all “natural persons” are guaranteed under EU law. As an organization, you are obligated to facilitate these rights. Failure to do so can result in penalties (see “GDPR fines”). Here’s a very basic summary of each of the articles under Chapter 3.
Article 12 — Transparency and communication
Read GDPR Article 12
You have to explain how you process data in “a concise, transparent, intelligible and easily accessible form, using clear and plain language” (see “privacy notice”). You must also make it easy for people to make requests to you (e.g., a right to erasure request, etc.) and respond to those requests quickly and adequately.
Articles 13 & 14 — When collecting personal data
Read GDPR Article 13
Read GDPR Article 14
At the moment you collect personal data from a user, you need to communicate specific information to them. If you don’t collect the information directly from the user, you are still required to provide them with similar information. These articles list the exact information you have to provide.
Article 15 — Right of access
Read GDPR Article 15
Data subjects have the right to know certain information about the processing activities of a data controller. This information includes the source of their personal data, the purpose of processing, and the length of time the data will be held, among other items. Most importantly, they have a right to be provided with the personal data of theirs that you’re processing.
Article 16 — Accuracy
Read GDPR Article 16
The accuracy of the data you process is only tangentially an aspect of data privacy, but people have a right to correct inaccurate or incomplete personal data that you are processing.
Article 17 — Right to erasure
Read GDPR Article 17
Also known as the “right to be forgotten,” data subjects have the right to request that you delete any information about them that you have. There are five exemptions to this right, including when processing their data is necessary to exercise your right to freedom of expression. You must make it simple for data subjects to file right to erasure requests. You can find a template for such requests here.
Article 18 — Right to restrict processing
Read GDPR Article 18
Read GDPR Article 19
Short of asking you to erase their data, data subjects can request that you temporarily change the way you process their data (such as removing it temporarily from your website) if they believe the information is inaccurate, is being used illegally, or is no longer needed by the controller for the purposes claimed. The data subject has the right to simply object to your processing of their data as well. Also important to note: If you decide to take any action related to Articles 16, 17, or 18, then Article 19 requires you to notify the data subject.
Article 20 — Data portability
Read GDPR Article 20
Remember that data privacy is the measure of control that people have over who can access their personal information. In line with this principle, the GDPR contains a novel data privacy requirement known as data portability. Basically, you have to store your users’ personal data in a format that can be easily shared with others and understood. Moreover, if someone asks you to send their data to a designated third party, you have to do it (if technically feasible), even if it’s one of your competitors.
Article 21 — Right to object
Read GDPR Article 21