The new European data protection legislation, named the General Data Protection Regulation, or GDPR, intends to simplify and strengthen the rules that the companies have to abide by when processing personal data. Data subjects’ (individuals) rights are clearly outlined, and they are more numerous than before. Simply put, the control over private data is back in the users’ own hands. This does mean there’s more work for companies and that’s non-negotiable. Businesses must comply with the regulation, or otherwise face significant fines. The Regulation will enter into force in May 2018.
At the same time, the rules, while stringent, are clear and the businesses will have an easier time adjusting to them. The rules are the same within the whole European Union, so data subjects need not be concerned with where in the EU the company is headquartered or where its operations are. If it is allowed to work with residents of the EU, it is bound by the GDPR.
When can you collect personal data?
Whenever a data controller (your company) collects or processes personal information, you must notify that individual. This is called the right to information. If you obtain data directly from them, you must provide them with the following information at the point of collection, clearly and in plain language:
- The way to contact the data protection officer of the company
- The purpose and the legal basis for the processing the data
- Who will receive the data and whether it will be moved to outside of the EU
- How long the data will be stored
- How and where to complain
- Whether the provision of personal data is required for the fulfilment of a contract with the company (while shopping or registering on a dating website, for example)
- Whether there is manual or automatic decision-making and profiling based on personal data
If the data has been collected from third parties, you must notify the data subject within a month, and must also state who you got the data from.
The data subjects wants to know how you use their data
… and they have every right to do so. The right to access lets them obtain a copy of their personal data stored with the data controller in an electronic form, free of charge, whenever they want. Some limitations apply; if the requests are onerous or occur unreasonably often, you have the right to charge a small, nominal fee.
When data subjects submit an information request, you have one month to comply and provide them with the following information:
- Whether you are processing their data
- If your are, why and how
- A copy of their personal data stored by your company
You have the the right to verify their identity. The recommendation is that remote access to an online service containing their data be provided, but not all companies can do that, so asking for an ID is also a good choice.
Data subject wants to correct their data
If data subjects find that the information your have is inaccurate or plain wrong, you they have the right to contact you and request that the information be corrected. Of course, this entails supplying you with the correct information. You have one month to update your request, or two if the request is very complex.
Note that users are in no way obligated to do this, especially if they don’t want you to have their data in the first place.
Data subject wants to delete their data
Even though the famed right to be forgotten is not absolute, in most cases data subjects can demand that their data be deleted.
First of all, their personal data shouldn’t be stored anyway if it is no longer needed for the purpose of processing. When a data subject is giving you their data, they’re giving you a permission to use it – but only for specific purposes for which you’ve notified them at the time of provision. When there is no original use for their data, you should delete it.
Note that data subjects can withdraw the consent for the use of their personal information at any time, and you must immediately stop processing and erase the data.
As we said, data subjects can’t always demand that their data be erased. If the removal would stifle freedom of expression and information, or if it is public interest for the information to remain, such as for public research or health, then you don’t necessarily have to delete it. Also, the data should remain if it is involved in legal claims or if the authorities have ordered it not to be deleted.
Data subject wants to restrict and object to the use of their information
Even if they are entitled to deletion, as in the circumstances outlined above, they still have the right to object and restrict the use of their information. Sometimes they don’t mind your company having your information stored, but they also don’t want you to use it in further processing. The rights to restrict processing and to object exist exactly for this purpose.
The processing of data may be restricted when data subjects are contesting the accuracy of data, when the data is unlawfully obtained and processed, or if it’s no longer needed for its original purpose, but needs to be stored because of pending legal action.
The right to object pertains to the use of personal data on the basis of public interest or legitimate interests of the company. As these bases are ‘shaky’ and sometimes open to interpretation, data subjects can object if they feel that such processing is without merit. If justified, the processing must be stopped. Your company faces the burden of proving that such use is indeed legitimate.
If personal data is being used for purposes of direct marketing and profiling, data subjects can object and such use must be stopped immediately, without question. Your company has no right to contest their objection.
Moving their data and automatic decision making
Users might wish to change their data processors, such as when changing services of similar nature, and they the right to demand easy and seamless transfer of data from one service to another. You cannot hold their hostage in order to keep them ‘chained’ to a single service.
Automatic decision making refers to the fact that their data may be processed by a computer, and they might be profiled without a human pair of eyes glossing over the information. These decisions can have significant effects – such as serving ads based on their predicted interests or, more importantly, evaluation of their work performance or credit-worthiness – and thus greatly affect their lives.
Of course, they have the right not to be subjected to automatic decision making in these cases. When asked to, you must give them an explanation of such decisions and they can challenge them with their own viewpoints. If required, you also must involve human intervention for decision-making.
Rights of data subjects in case of infringement
Companies that don’t adhere to the regulations can quickly find themselves in trouble. The most common causes will be storing data for longer than necessary, sharing it with third parties without authorisation or refusal to delete the data.
Users are first expected to contact the company directly. Larger companies have personnel dedicated to privacy issues, any by law companies that process sensitive data must appoint a data protection officer. A sane company should respect data subjects’ rights, especially if it is plain that their requests are reasonable.
It the companies don’t budge, individuals can do more to get their own way. They can lodge a complaint against you with their local supervisory authority. Under the GDPR, there are 28 authorities – one in each EU member state. Users can simply complain to the authority in their country of residence, and the authorities handle the rest. They forward the complaint to the actually competent authority and cooperate with it.
Aside from these complaints, data subjects have the right to bring a company to court outright. The cases may be brought to court in a country of the individual’s residence or in a country where your company is based in. They may also bring a complaint to the court if the aren’t satisfied with the decision by the supervisory authority, of if their complaint has gone unanswered for over three month. Some cases have already been won this way, even under the current, outdated legislation.
Data subject wants compensation
The GDPR gives data subjects the right to demand compensation for damages caused by unlawful processing (or data breaches). Data controllers and processors are liable for any and all damages caused, unless such damage was not caused by their irresponsibility. These cases are brought to court under the same conditions as for rights infringements – in their country of residence or in the country where the company is based.
Aside from the compensation and remedies you will have to pay if they win a court case, you may also be fined by the supervisory authorities, and the fines are very steep – up to 4 percent of your global turnover or EUR 20 million.
In most ways, the GDPR is a step forward for ordinary people who now have more control over how their data is used. There are more ways of ensuring that the companies are ‘behaving’ correctly, and clearer regulations allow them lodge complaints more easily. This will increase the administrative workload, at least in the short term, and it is something you should budget for.