What is the right to object?

The right to object gives the individual the ability to object to the processing of personal data:

  • Where the legal basis to process is legitimate interest or performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, including profiling based on these provisions.  In these situations, the personal data can no longer be processed unless compelling legitimate grounds for the processing which override the interests, rights and freedoms of the individual are demonstrated or in order to establish, exercise or defend legal claims.
  • If personal data concerning him or her are processed for direct marketing purposes, including profiling to the extent that it relates to direct marketing.  If the individual objects to processing for direct marketing purposes, the personal data can no longer be processed for direct marketing purposes.

The right to object for the above two reasons must be brought explicitly to the attention of the individual at the latest of the first communication with the individual.  It must be presented clearly and separately from any other information.  If the communication with the individual is over the internet, then the individual must be able to exercise his or her right to object over the internet.

The right to object also gives the individual the ability to object to the processing of personal data concerning him or her for scientific or historical research purposes or statistical purposes, unless the processing is necessary for the performance of a task carried out for reason of public interest.

This blog is the tenth in a series of blogs that describes and explains the eight individual rights set forth in the GDPR.  If you don’t want to wait until the next blog to learn more about the GDPR and the individual rights in the GDPR, take a look at GDPRsimple, http://www.keepgdprsimple.com, an automated web and mobile tool, that can help SMEs implement the GDPR and demonstrate their implementation.

Next blog:  What is the right not to be subject to automated decision-making?

What is the right to data portability?

The right to data portability gives the individual the ability to:

where:

The individual has the right to have the personal data transmitted directly from one controller to another where technically feasible.

The right to data portability is not in lieu of the right to erasure

Exceptions to the right of data portability are processing:

  • necessary for the performance of a task carried out in the public interest, or
  • in the exercise of official authority vested in the controller
  • that adversely affects the rights and freedoms of others.

This blog is the ninth in a series of blogs that describes and explains the eight individual rights set forth in the GDPR.  If you don’t want to wait until the next blog to learn more about the GDPR and the individual rights in the GDPR, take a look at GDPRsimple, http://www.keepgdprsimple.com, an automated web and mobile tool, that can help SMEs implement the GDPR and demonstrate their implementation.

Next blog:  What is the right to object?

What is the right to restrict processing?

The right to restrict processing gives the individual the ability to have processing of personal data restricted where one of the following applies:

  • The accuracy of the personal data is contested by the individual, but the restriction only applies until the accuracy of the personal data is verified
  • The processing is unlawful, but instead of erasure of the personal data the individual wants restriction of the personal data’s use
  • The personal data are no longer needed for the purposes of the processing, but the individual needs the personal data to establish, exercise or defend a legal claim
  • The individual has objected, and the restriction applies until the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the individual or to establish, exercise or defend legal claims.

Where processing has been so restricted, such personal data can be stored, but otherwise it can only be processed with the individual’s consent and in order to establish, exercise or defend legal claims or to protect the rights of another individual or for reasons of important public interest.

The restriction of processing cannot be lifted before the individual who has obtained the restriction of processing has been informed.

Any restriction of processing must be disclosed to each recipient to whom the personal data have been disclosed, unless it is impossible or involves disproportionate effort.  The individual must be informed about those recipients if he or she so requests.

This blog is the eighth in a series of blogs that describes and explains the eight individual rights set forth in the GDPR.  If you don’t want to wait until the next blog to learn more about the GDPR and the individual rights in the GDPR, take a look at GDPRsimple, http://www.keepgdprsimple.com, an automated web and mobile tool, that can help SMEs implement the GDPR and demonstrate their implementation.

Next blog:  What is the right to data potability?

Read the fine print on Zoom’s end-to-end encryption

Yesterday Zoom announced it will offer end-to-end encryption to all users.  Encryption has been an ongoing issue for Zoom because, as I mentioned in earlier blog, Zoom video and computer audio meetings aren’t end-to-end encrypted as advertised and, as I mentioned in a subsequent blog, Zoom planned to roll out end-to-end encryption only for video calls of paying clients and institutions such as schools.  The significance is that with end-to-end encryption, Zoom meetings can’t be accessed by Zoom employees for trust and safety reasons.  To address the creation of abusive accounts, Zoom’s current solution is that users with free or basic accounts who want access to Zoom’s end-to-end encryption will have to provide information (such as a phone number via a text message) to verify their accounts.  Furthermore, once available, end-to-end encryption will be an optional feature because it limits some meeting functionality (such as traditional PSTB phone lines or SIP/H 323 conference room systems).  So end-to-end encryption is not going to be used in all situations.  This result is significant because Zoom’s research and development team is located in China.

Late last April, the Department of Homeland Security reported that the Zoom application appears to be developed by 700 workers in China and that keys for encrypting and decrypting meetings are transmitted to servers in Beijing.  DHS recommended that any organization currently using – or considering using – Zoom evaluate the risk of its use.  Zoom told ABC news that it disagreed with the DHS analysis and said that DHS is heavily misinformed and that the report includes inaccuracies about Zoom’s operations.  However, a recent Axios article reports that Zoom has about 700 engineers in China and several China-based subsidiaries and that having its research and development team in China helps Zoom cuts costs and, therefore, is a major driver of profit.

Earlier this month, according to the New York Times, at the request of the Chinese government, Zoom terminated meetings that were going to be hosted on Zoom to commemorate the Tiananmen Square crackdown and the accounts hosting the meetings.  Zoom said these actions were necessary to comply with Chinese law.  The Chinese government had informed Zoom about four separate Zoom gatherings:  Zoom allowed the meeting of a U.S. company to proceed after determining it had no participants from mainland China and then briefly shut the account down, and Zoom ended the other three meetings and suspended the host accounts of two companies in the U.S. and one in Hong Kong.  All four accounts subsequently were reactivated.  To avoid shutting down accounts in the future and impacting anyone outside China, Zoom has said it will develop technology to block individual participants.

As the New York Times observed, Zoom’s dependence on China could make it increasingly vulnerable to the Communist Party’s censorship apparatus.  Foreign companies allowed to operate in China must abide by strict rules that dictate what can be said, and they must provide data to an internet police force.  After Zoom’s announcement yesterday, if a user of the free product doesn’t want to provide information to verify its account or if a user of the paid product wants to include phone lines or hardware conference room systems, then end-to-end encryption won’t be able to be used, and Zoom meetings still will be able to be accessed by Zoom employees. What if one of the research or development employees in China, for trust and safety reasons, joined your meeting to tackle abuse in real time?  Would they have to report what they heard to the Chinese “internet police force”?   Zoom’s offer of end-to-end encryption to free users is a good beginning, but it is just a beginning.  As DHS said in its report, any organization currently using – or considering using – Zoom should evaluate the risk of its use.       

The right of erasure – What does it mean to get “erased”?

The right to erasure, also known as the “right to be forgotten,” gives the individual the ability to have personal data erased when one of the following grounds applies:

  • The personal data are no longer necessary for the purposes for which they were collected and processed
  • The legal ground for the processing is consent and the individual has withdrawn his or her consent and there is no other legal ground for processing
  • The individual objects to the processing and there are no overriding legitimate grounds for the processing
  • The personal data have been unlawfully processed
  • A legal obligation requires erasure of the personal data
  • A child’s personal data were collected over the internet

A controller, who must erase personal data and who has made that personal data public, must take reasonable steps to inform controllers who are processing that personal data that the individual has requested erasure by them of any links to, or copy or reproduction of, that personal data. 

The obligation to erase and the obligation to inform other controllers does not apply where processing is necessary:

  • For exercising the right of freedom of expression and information
  • To comply with a legal obligation which requires processing or to perform a task carried out in the public interest or in the exercise of official authority
  • For reasons of public interest in the area of public health
  • For archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
  • To establish, exercise or defend legal claims

Any erasure must be disclosed to each recipient to whom the personal data have been disclosed, unless it is impossible or involves disproportionate effort.  The individual must be informed about those recipients if he or she so requests. 

This blog is the eighth in a series of blogs that describes and explains the eight individual rights set forth in the GDPR.  If you don’t want to wait until the next blog to learn more about the GDPR and the individual rights in the GDPR, take a look at GDPRsimple, http://www.keepgdprsimple.com, an automated web and mobile tool, that can help SMEs implement the GDPR and demonstrate their implementation.

Next blog:  What is the right to restrict processing?

Hold Up Hungary, Individual Rights cannot be Suspended

In an earlier blog, I wrote that the UK and Irish regulators are being more lenient about the amount of time it may take for organizations to respond to individual rights requests.  On May 4, 2020, the Hungarian government issued a governmental decree suspending the rights of individuals under Articles 15 through 22 of the General Data Protection Regulation (GDPR) – the rights of access and the rights to rectification, erasure, restriction of processing, data portability, object, and be subject to automated individual decision-making, including profiling.  The suspension was until the end of the state of emergency that was declared due to the coronavirus pandemic.

Last week, on June 2, 2020, the European Data Protection Board (EDPB) issued a statement criticizing the action of the Hungarian government.  It stated in part:

  • Legislative measures which seek to restrict the scope of individual rights must be foreseeable to the persons subject to them, including with regard to their duration in time, and because the restrictions were imposed for a duration not precisely limited in time, they did not meet the foreseeability criterion.
  • Restrictions must be a necessary and proportionate measure to safeguard an important objective of general public interest such as public health.  Individual rights can be restricted but not denied, and in the EDPB’s view, restrictions suspending or postponing the application of individual rights, without any clear time limitation, equates to a de facto suspension of those rights and amounts to a complete obstacle against the exercise of the rights themselves.

The EDPB’s statement in response to the Hungarian government’s action is a reminder that, during the pandemic, even though a state of emergency exists, the individual rights set forth in the GDPR are still in effect.  Organizations, as needed, may take addition time to respond to requests from individuals, but they still must respond to those requests.  GDPRsimple, www.keepgdprsimple.com, an automated web and mobile tool, can help businesses respond to individual rights requests under the GDPR and keep track of the requests and their responses to them. 

What is the right to rectification?

The right to rectification gives the individual the ability to have inaccurate personal data concerning him or her corrected.  Personal data is inaccurate if it is incorrect or misleading as to any matter of fact.  This right also gives the individual the ability to have incomplete personal data completed, including by providing a supplementary statement.

Any rectification must be disclosed to each recipient to whom the personal data have been disclosed, unless it is impossible or involves disproportionate effort.  The individual must be informed about those recipients if he or she so requests.      

Under the right to restrict processing, an individual has the right to request restriction of the processing of his or her personal data where its accuracy is being contested and you are checking it.  As a matter of good practice, processing of the personal data in question should be restricted while the accuracy of the personal data is being verified, whether or not the individual has exercised his or her right to restrict processing. The right to restrict processing will be the subject of a future blog.

If you are satisfied that the personal data is accurate or is complete, you should let the individual know and tell the individual that you will not be correcting or completing the personal data. You should explain your decision and inform the individual of his or her right to make a complaint to the appropriate supervisory authority and of the ability to seek to enforce his or her rights through a judicial remedy.

This blog is the seventh in a series of blogs that describes and explains the eight individual rights set forth in the GDPR.  If you don’t want to wait until the next blog to learn more about the GDPR and the individual rights in the GDPR, take a look at GDPRsimple, http://www.keepgdprsimple.com, an automated web and mobile tool, that can help SMEs implement the GDPR and demonstrate their implementation.

Next blog:  What is the right to erasure?

Zoom 5.0 – is it everything that they say? We don’t know yet…

In an earlier blog, I wrote that Zoom video and computer audio meetings aren’t end-to-end encrypted.  With end-to-end encryption, Zoom meetings can’t be accessed by Zoom employees, and therefore, Zoom meetings are transport encrypted.

Late last week, Reuters Technology News reported that Zoom plans to roll out end-to end encryption of video calls hosted by paying clients and institutions such as schools but not by users of its free consumer accounts.  The reason for not providing end-to-end encryption for every meeting is that Zoom’s trust and safety team can’t add itself as a participant in gatherings to tackle abuse in real time.

There is another problem with end-to-end encryption.   No one but the participants and their devices can see and hear what is happening.  Thus, people who call in from a telephone line can’t join the meeting.

As the Technology New article points out, from a business perspective, it is hard to offer an expensive encryption service for free.  Zoom says its encryption plan is “subject to change” and is “a work is progress.”

If you use the free Zoom product, just remember that Zoom employees or others could join your meeting without registering.  If you don’t care who hears what is said, that may be OK.  If you want your conversation to be confidential, pay for Zoom or consider using other more privacy protective alternatives.  A recent Vedder Price Blog catalogued these alternatives:

  • A plain old conference call
  • If all participants have Apple devices, FaceTime
  • Skype (which is no longer supported by Microsoft)
  • Microsoft Teams (for which there used to be a monthly charge but right now is free) integrates with Office 365
  • If you make use of G Suite products, Google Hangouts integrates with them.

What is the right of access?

The right of access gives the individual the ability to learn whether his or her personal data are being processed.  If an individual’s personal data are being processed, the individual has the ability to obtain the following information:

  • The purposes of the processing;
  • The categories of personal data being processed;
  • The recipients or categories of recipients to whom the personal data have been or will be disclosed;
  • How long the personal data will be stored (or the criteria by which that time period is determined);
  • Where the personal data are not collected from the individual, the source of the personal data
  • The nature of any automated decision-making, including profiling, applied to the personal data
  • Where personal data are transferred to a third country or to an international organization, the appropriate safeguards applicable to the transfer.

In addition, the individual has the ability to take remedial actions:

  • Request rectification or correction of his or her personal data
  • Request erasure of his or her personal data
  • Request restriction of processing of his or her personal data or object to such processing
  • Lodge a complaint with a supervisory authority

As mentioned above, the individual is to be provided a copy of the personal data being processed unless it adversely affects the rights and freedoms of others.  A reasonable fee based on administrative costs may be charged if any additional copies are requested by the individual.  Where the request is made by electronic means, the response should be provided in a commonly used electronic form unless the individual requests otherwise.

This blog is the sixth in a series of blogs that describes and explains the eight individual rights set forth in the GDPR.  If you don’t want to wait until the next blog to learn more about the GDPR and the individual rights in the GDPR, take a look at GDPRsimple, http://www.keepgdprsimple.com, an automated web and mobile tool, that can help SMEs implement the GDPR and demonstrate their implementation.

Next blog:  What is the right to rectification?

The right of information – What information should be in a “website” privacy notice?

As was discussed in an earlier blog, a “website” privacy notice is an amalgam of “individual” and “third-party” privacy notices, and it is posted by an organization on its website so interested individuals can ascertain what an organization’s privacy practices are and  so visitors to the website can determine what personal data are collected when individuals visit the website.   The notice sets forth the purposes for which the organization processes personal data.  If the purposes for the processing expand or change, then a revised privacy notice needs to be posted on the website.

In addition to the purposes of the processing, the “website” privacy notice should contain:

  • The name and contact details of your organization
  • The lawful basis for the processing, and if consent is the lawful basis, the right to withdraw consent
  • If legitimate interest is the lawful basis for the processing, the legitimate interests for the processing
  • The categories of the personal data obtained
  • If the personal data are shared with others, and the identity of the recipients or the categories of recipients of the personal data
  • If personal data are transferred to third countries or international organizations, the identity of those countries or organizations and what safeguards are used when personal data are transferred outside the EU
  • The retention periods for the personal data
  • The rights available to individuals, i.e. the rights of access and to rectification, erasure, restriction, portability, object and lodge a lodge a complaint with a supervisory authority
  • The source of the personal data
  • If individuals are under a statutory or contractual obligation to provide the personal data and the consequences for failure to do so
  • If automated decision-making, including profiling, is involved in the processing, what type it is and what the effect of such processing could be

This blog is the fifth in a series of blogs that describes and explains the eight individual rights set forth in the GDPR.  If you don’t want to wait until the next blog to learn more about the GDPR and the individual rights in the GDPR, take a look at GDPRsimple, http://www.keepgdprsimple.com, an automated web and mobile tool, that can help SMEs implement the GDPR and demonstrate their implementation.

Next blog:  What is the right of access?