This tool lists the Data-Dubject rights under the General Data Protection Regulation (GDPR).
It has 2 main objectives:
1. To make a contribution to the knowledge of GDPR Data-subject rights using an original methodology.
2. To provide GDPR controllers and processors with a general overview of data-subject rights. This includes: their meaning; who can exercice them; how to handle them; a legal framework; relevant caselaw and restrictions on rights.
It has 2 main objectives:
1. To make a contribution to the knowledge of GDPR Data-subject rights using an original methodology.
2. To provide GDPR controllers and processors with a general overview of data-subject rights. This includes: their meaning; who can exercice them; how to handle them; a legal framework; relevant caselaw and restrictions on rights.
References
| Data-Subject Rights under GDPR | |||||||||||||||||
| Created by: Rosario Murga Ruiz, LLM in IP and ICT Law | Version: January 2018 | ||||||||||||||||
| Feel free to follow: linkedin.com/in/rosariomurgaruiz | |||||||||||||||||
| Meaning | Who can make request? | How to handle? | Legal Framework | Caselaw | Restrictions | ||||||||||||
| Obligations | Data-Subject request | GDPR Articles | GDPR Recitals | WP29 | CJEU | ECtHR | |||||||||||
| Action required | Action not required | ||||||||||||||||
| Circumstances | Modalities | Deadline | Circumstances | Modalities | Deadline | ||||||||||||
| Data-Subject Right | Information | The right to obtain information regarding processing of data | N/A | ∙ Art. 13: When
personal data are collected from the data subject.
∙ Art. 14. When personal data have not been obtained from the data subject ∙ Arts. 12.1, 12.5, 12.7 GDPR |
N/A | Arts. 12, 13, 14 | 58, 59, 60, 61, 62 | WP29 Guidelines on Transparency | Smaranda Bara et al. v. Presedintele Casei Nationale de Asigurari de Sanatete (CNAS) et al. |
López Ribalda v. Spain | ∙ Arts. 23, 6.2, 6.3 GDPR ∙ Chapter IX GDPR ∙ Comply with: Charter of fundamental rights of the European Union & European Convention for the Protection of Human Rights (Recital 73 GDPR). |
||||||
| Access | The right to
obtain from the controller:
∙ confirmation as to whether or not personal data are being processed, and, ∙ if so, access to the personal data and information provided in art. 15.1 GDPR. |
∙ Individual
∙ Legal/voluntary representative |
∙ Arts 15.1; 15.2 GDPR | Whenever data subject exercices right unless art. 12.5 GDPR. | ∙
Must provide a copy free of charge. Fee can be required if extra copies
requested.
∙ If request made by electronic means: information provided in commonly used electronic form (unless otherwise requested by data subject). ∙ Remote access allowed (Recital 63 GDPR) ∙ Art. 12.6 GDPR |
Art. 12.1, 12.2, 12.3, 12.5 GDPR | ∙ Answer within 1 month of receipt of request.
∙ May be extended further 2 months, taking into account the complexity and number of requests BUT Controller shall inform data subject about extension within 1 month of receipt of request. (Art. 12.3 GDPR) |
Requests are manifestly unfounded or excessive (Art. 12.5 GDPR) | If no
action, Controller must inform: 1) Reasons for not taking action and 2) Data subject can complain with supervisory authority & seek judicial remedy (Art. 12.4 GDPR) |
Within 1 month of receipt of request (Art. 12.4 GDPR) | Art. 15 | 63 | WP29 Guidelines on Transparency | College van burgemeester en wethouders van Rotterdam v. M. E. E. Rijkeboer. | Gaskin v. UK; Leander v. Sweden | ||
| Rectification | The right to obtain from the controller the rectification of inaccurate or incomplete personal data. | ∙ Notification obligation (Art. 19 GDPR) | When data is inaccurate or incomplete | ∙
Art. 16 GDPR
∙ Art. 12.6 GDPR |
Requests are manifestly unfounded or excessive (Art. 12.5 GDPR) | Arts. 16, 19 | 65 | N/A | N/A | Cemalettin Canli v. Turkey; Ciubotaru v. Moldova. | |||||||
| Erasure ("right to be forgotten") | The right to obtain from the controller the erasure of personal data concerning him/her. | ∙ Notification obligation (Art. 19 GDPR) | Circumstances Art. 17.1 GDPR | ∙
Art. 17.2 GDPR
∙ Art. 12.6 GDPR |
∙
Art. 17.3 GDPR
∙ Requests are manifestly unfounded or excessive (Art. 12.5 GDPR) |
Art. 17 | 65, 66 | N/A | Google Spain SL, Google Inc. V. Agencia Española de Protección de Datos, Mario Costeja González | Rotaru v. Romania; M. K. v. France | |||||||
| Restriction of processing | To right to obtain the marking of stored personal data with the aim of limiting their processing in the future. | ∙ Notification obligation (Art. 19 GDPR) | Circumstances Art. 18.1 GDPR | ∙ Marking of stored personal data with the
aim of limiting their processing.
∙ If restriction: Art. 18.2 & 18.3 GDPR ∙ Art. 12.6 GDPR |
Requests are manifestly unfounded or excessive (Art. 12.5 GDPR) | Arts. 4.3, 18 | 18 | N/A | N/A | N/A | |||||||
| Data portability | The right to receive personal data (provided by data subject to a controller), and the right to transmit those data to another controller. | ∙ Exercise of
right without prejudice to right to be forgotten (Art. 20.3 GDPR) & must not affect rights/freedoms of others (Art. 20.4 GDPR) |
∙
If Art. 20.1 GDPR
∙ When processing is based on consent (WP29 Guidelines on consent) |
∙
Data transmission in a structured, commonly used & machine-readable
format (Art. 20.1 GDPR).
∙ Data transmitted directly from one controller to another, where technically feasible. (Art. 20.2 GDPR) ∙ Art. 12.6 GDPR |
∙
Requests are manifestly unfounded or excessive (Art. 12.5 GDPR) ∙ Art. 20.3.2º GDPR |
Art. 20 | 68 | Guidelines on the right to "data portability" | N/A | N/A | |||||||
| Objection | The right to object to processing of personal data concerning data subject, on grounds relating to his/her particular situation. Includes profiling. | ∙ Inform data subjects (Art. 21.4 GDPR)
∙ Information society services (Art. 21.5 GDPR) |
If Art.21.1, 21.2 GDPR | ∙
Stop processing of personal data unless compelling legitimate grounds or
processing required for legal claims (Art. 21.1, 2º GDPR).
∙ If Direct marketing purposes: stop processing (Art. 21.3 GDPR) ∙ Art. 12.6 GDPR |
∙
If processing for scientific/historical research/statistical purposes and
necessary for reasons of public interest (Art. 21.6 GDPR) ∙ Requests are manifestly unfounded or excessive (Art. 12.5 GDPR) |
Arts. 6.1.e; 6.1.f; 21 | 69; 70 | Opinion 2/2010 on online behavioural advertising | N/A | M. S. v. Sweden; Mosley v. UK | |||||||
| Not to be subject to a decision based solely on automated processing | The right not to be subject to a decision evaluating personal aspects, based solely on automated processing. Includes profiling. | ∙ Art. 22.3 GDPR, Recital 71 §2
GDPR.
∙ Further restrictions for sensitive data (Art. 22.4 GDPR) ∙ Should not concern a child (Rec. 71 §1 GDPR) |
Whenever automated decisions produce legal effect or significantly affect data subject. | Same as right to object: stop processing of personal data. | ∙
Art. 22.2 GDPR
∙ Requests are manifestly unfounded or excessive (Art. 12.5 GDPR) |
Art. 22 | 71 | Guidelines on Automated individual decision-making and Profiling | N/A | N/A | |||||||
| To be informed about data breaches | The right to get notified whenever a personal data breach is likely to result in high risk to rights & freedoms | N/A | ∙ Arts. 33.5, 34, 12.1, 12.5
GDPR
∙ Notification: ASAP (WP29 Guidelines on Personal data breach notification) |
N/A | Art. 34 | 86, 87, 88 | Guidelines on Personal data breach notification | N/A | N/A | ||||||||
Няма коментари:
Публикуване на коментар