How do I keep all the individual rights straight? Are there any commonalities between all the individual rights?

There are some procedural and some substantive commonalities between the rights to access, rectification, erasure, restriction, portability and object

Let’s discuss the similarities among all six rights first:

  • The controller must ascertain the identity of the individual making the request.  If the controller does not have the information to determine the identity of the individual making the request, then the controller must inform the individual, and the individual must provide the information.  If the individual does not provide the information, then the controller is not required to process the request. 
  • The controller must provide information on the action taken on a request to the individual within one month of receipt of the request.  That period of time may be extended by two months where necessary if the request is complex or numerous.  Within one month of receipt of the request, the individual must be informed of any extension and the reasons for the extension. 
  • Where the individual makes the request electronically, the information must be provided electronically, unless the individual requests otherwise.
  • If the controller does not take action on the individual’s request, the controller must notify the individual within one month of receipt of the request of the reasons for not taking action and of the possibility of lodging a complaint with the supervisory authority and of seeking a judicial remedy.
  • All actions in response to these requests must be provided free of charge.  A reasonable fee may be charged where requests from an individual are manifestly unfounded or excessive.

Similarities among the rights to rectification, erasure and restriction are:

  • Where the controller has disclosed personal data to recipients, the controller must communicate any rectification or erasure of personal data or restriction of personal data to these recipients. This communication does not have to take place if it proves impossible or involves disproportionate effort. 
  • If the individual requests whether his or her personal data has been disclosed to such recipients, the controller must inform the individual about these recipients.

Similarities among the rights of access and to portability:

  • The right to obtain a copy of personal data undergoing processing does not apply if it adversely affects the rights and freedoms of others.
  • The right to receive personal data concerning the individual which the individual provided to the controller, in a structured, commonly used and machine-readable format, and the right to transmit those data to another controller do not apply if they adversely affect the rights and freedoms of others.

This blog is the fourteenth in a series of blogs that describes and explains the eight individual rights set forth in the GDPR.  If you don’t want to wait until the next blog to learn more about the GDPR and the individual rights in the GDPR, take a look at GDPRsimple, http://www.keepgdprsimple.com, an automated web and mobile tool, that can help SMEs implement the GDPR and demonstrate their implementation.

Next blog:  Has any guidance been issued on the individual rights?

How does the GDPR change individual rights?

It is easy to assume that because individual rights existed under the Directive, you don’t have to do anything extra to implement the GDPR.  If you are assuming this, you are mistaken.  Furthermore, as discussed in an earlier blog, the timing requirements and the reasons for not complying with an individual request are different and you can no longer charge a fee to respond to an individual request. Additionally, as previously discussed, some new rights have been added and some rights that previously existed have changed.  So, what changed and what stayed the same?

The right to information preserves the basic right that individuals are entitled to a minimum set of information – the identity of the controller (link), the controller’s reasons for processing (link) personal data (link) and other information necessary to achieve fair and transparent processing of personal data.

The right of access permits individuals to obtain access to their personal data.  This right existed under the Directive, but the mandatory categories of information which must be supplied in connection with an access request have been expanded under the GDPR.

The right to rectification permits individuals to obtain correction of any errors in their personal data. This right is largely unchanged in the GDPR.

The right to erasure permits individuals to obtain deletion of their personal data.  This right is broader under the GDPR.  Under the Directive, the right existed where the controller failed to comply with the Directive.  Under the GDPR, the right exists under certain specified circumstances.

The right to restrict processing permits individuals to restrict the processing of personal data under certain circumstances.  Under the Directive, the individual had the right to request blocking of data which meant that the controller could not use the data.  Under the GDPR, the right to restrict processing means that the data can only be stored by the controller and can only be used for limited purposes.  Thus, under the GDPR, there is a broader range of circumstances in which individuals can restrict “processing” of personal data.

The right to data portability permits individuals to transfer their personal data between controllers.  The Directive did not directly address this right.  Thus, the right to data portability is a new right under the GDPR.

The right to object permits individuals to object to the legitimate interest or public interest legal basis to process (link).  The Directive permitted processing to continue unless the individual could show the objection was justified.  The GDPR reverses the burden and requires the organization to demonstrate either it has compelling grounds for continuing processing personal data or the processing of personal data is necessary in connection with its legal rights.  The right to object to processing for purposes of direct marketing preserves the position under the Directive.  The right to object for scientific, historical or scientific purposes gives individuals more specific rights.

This blog is the thirteenth in a series of blogs that describes and explains the eight individual rights set forth in the GDPR.  If you don’t want to wait until the next blog to learn more about the GDPR and the individual rights in the GDPR, take a look at GDPRsimple, http://www.keepgdprsimple.com, an automated web and mobile tool, that can help SMEs implement the GDPR and demonstrate their implementation.

Next blog:  How do I keep all these rights straight?  Are there any commonalities between all these rights?

What is the right not to be subject to automated processing?

The right not to be subject to a decision based solely on automated processing, including profiling, gives the individual the ability not to be subject to such a decision which produces legal effects concerning him or her or similarly significantly affects him or her.  This right does not apply if the decision:

  • Is necessary for entering into, or performing, a contract between the individual and a data controller, and suitable measures to safeguard the individual’s rights and freedoms, especially the ability to obtain human intervention in order for an individual to be able to express his or her point of view and to contest decisions, must be implemented;
  • Is authorized and lays down suitable measures to safeguard the individual’s rights and freedoms and legitimate interests; or
  • Is based on the individual’s explicit consent, and suitable measures to safeguard the individual’s rights and freedoms, especially the ability to obtain human intervention in order for an individual to be able to express his or her point of view and to contest decisions, must be implemented.

Such decisions that are authorized must not be based on special categories of personal data – personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and genetic data, biometric data for the purpose of uniquely identifying an individual, data concerning health or data concerning  an individual’s sex life or sexual orientation – unless explicit consent has been given or the processing is necessary for reasons of substantial public interest.  Furthermore, suitable measures to safeguard the individual’s rights and freedoms and legitimate interests must be in place.

This blog is the eleventh in a series of blogs that describes and explains the eight individual rights set forth in the GDPR.  If you don’t want to wait until the next blog to learn more about the GDPR and the individual rights in the GDPR, take a look at GDPRsimple, http://www.keepgdprsimple.com, an automated web and mobile tool, that can help SMEs implement the GDPR and demonstrate their implementation.

Next blog:  How does the GDPR change individual rights?

What is the right to object?

The right to object gives the individual the ability to object to the processing of personal data:

  • Where the legal basis to process is legitimate interest or performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, including profiling based on these provisions.  In these situations, the personal data can no longer be processed unless compelling legitimate grounds for the processing which override the interests, rights and freedoms of the individual are demonstrated or in order to establish, exercise or defend legal claims.
  • If personal data concerning him or her are processed for direct marketing purposes, including profiling to the extent that it relates to direct marketing.  If the individual objects to processing for direct marketing purposes, the personal data can no longer be processed for direct marketing purposes.

The right to object for the above two reasons must be brought explicitly to the attention of the individual at the latest of the first communication with the individual.  It must be presented clearly and separately from any other information.  If the communication with the individual is over the internet, then the individual must be able to exercise his or her right to object over the internet.

The right to object also gives the individual the ability to object to the processing of personal data concerning him or her for scientific or historical research purposes or statistical purposes, unless the processing is necessary for the performance of a task carried out for reason of public interest.

This blog is the tenth in a series of blogs that describes and explains the eight individual rights set forth in the GDPR.  If you don’t want to wait until the next blog to learn more about the GDPR and the individual rights in the GDPR, take a look at GDPRsimple, http://www.keepgdprsimple.com, an automated web and mobile tool, that can help SMEs implement the GDPR and demonstrate their implementation.

Next blog:  What is the right not to be subject to automated decision-making?

What is the right to data portability?

The right to data portability gives the individual the ability to:

where:

The individual has the right to have the personal data transmitted directly from one controller to another where technically feasible.

The right to data portability is not in lieu of the right to erasure

Exceptions to the right of data portability are processing:

  • necessary for the performance of a task carried out in the public interest, or
  • in the exercise of official authority vested in the controller
  • that adversely affects the rights and freedoms of others.

This blog is the ninth in a series of blogs that describes and explains the eight individual rights set forth in the GDPR.  If you don’t want to wait until the next blog to learn more about the GDPR and the individual rights in the GDPR, take a look at GDPRsimple, http://www.keepgdprsimple.com, an automated web and mobile tool, that can help SMEs implement the GDPR and demonstrate their implementation.

Next blog:  What is the right to object?

What is the right to restrict processing?

The right to restrict processing gives the individual the ability to have processing of personal data restricted where one of the following applies:

  • The accuracy of the personal data is contested by the individual, but the restriction only applies until the accuracy of the personal data is verified
  • The processing is unlawful, but instead of erasure of the personal data the individual wants restriction of the personal data’s use
  • The personal data are no longer needed for the purposes of the processing, but the individual needs the personal data to establish, exercise or defend a legal claim
  • The individual has objected, and the restriction applies until the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the individual or to establish, exercise or defend legal claims.

Where processing has been so restricted, such personal data can be stored, but otherwise it can only be processed with the individual’s consent and in order to establish, exercise or defend legal claims or to protect the rights of another individual or for reasons of important public interest.

The restriction of processing cannot be lifted before the individual who has obtained the restriction of processing has been informed.

Any restriction of processing must be disclosed to each recipient to whom the personal data have been disclosed, unless it is impossible or involves disproportionate effort.  The individual must be informed about those recipients if he or she so requests.

This blog is the eighth in a series of blogs that describes and explains the eight individual rights set forth in the GDPR.  If you don’t want to wait until the next blog to learn more about the GDPR and the individual rights in the GDPR, take a look at GDPRsimple, http://www.keepgdprsimple.com, an automated web and mobile tool, that can help SMEs implement the GDPR and demonstrate their implementation.

Next blog:  What is the right to data potability?

Read the fine print on Zoom’s end-to-end encryption

Yesterday Zoom announced it will offer end-to-end encryption to all users.  Encryption has been an ongoing issue for Zoom because, as I mentioned in earlier blog, Zoom video and computer audio meetings aren’t end-to-end encrypted as advertised and, as I mentioned in a subsequent blog, Zoom planned to roll out end-to-end encryption only for video calls of paying clients and institutions such as schools.  The significance is that with end-to-end encryption, Zoom meetings can’t be accessed by Zoom employees for trust and safety reasons.  To address the creation of abusive accounts, Zoom’s current solution is that users with free or basic accounts who want access to Zoom’s end-to-end encryption will have to provide information (such as a phone number via a text message) to verify their accounts.  Furthermore, once available, end-to-end encryption will be an optional feature because it limits some meeting functionality (such as traditional PSTB phone lines or SIP/H 323 conference room systems).  So end-to-end encryption is not going to be used in all situations.  This result is significant because Zoom’s research and development team is located in China.

Late last April, the Department of Homeland Security reported that the Zoom application appears to be developed by 700 workers in China and that keys for encrypting and decrypting meetings are transmitted to servers in Beijing.  DHS recommended that any organization currently using – or considering using – Zoom evaluate the risk of its use.  Zoom told ABC news that it disagreed with the DHS analysis and said that DHS is heavily misinformed and that the report includes inaccuracies about Zoom’s operations.  However, a recent Axios article reports that Zoom has about 700 engineers in China and several China-based subsidiaries and that having its research and development team in China helps Zoom cuts costs and, therefore, is a major driver of profit.

Earlier this month, according to the New York Times, at the request of the Chinese government, Zoom terminated meetings that were going to be hosted on Zoom to commemorate the Tiananmen Square crackdown and the accounts hosting the meetings.  Zoom said these actions were necessary to comply with Chinese law.  The Chinese government had informed Zoom about four separate Zoom gatherings:  Zoom allowed the meeting of a U.S. company to proceed after determining it had no participants from mainland China and then briefly shut the account down, and Zoom ended the other three meetings and suspended the host accounts of two companies in the U.S. and one in Hong Kong.  All four accounts subsequently were reactivated.  To avoid shutting down accounts in the future and impacting anyone outside China, Zoom has said it will develop technology to block individual participants.

As the New York Times observed, Zoom’s dependence on China could make it increasingly vulnerable to the Communist Party’s censorship apparatus.  Foreign companies allowed to operate in China must abide by strict rules that dictate what can be said, and they must provide data to an internet police force.  After Zoom’s announcement yesterday, if a user of the free product doesn’t want to provide information to verify its account or if a user of the paid product wants to include phone lines or hardware conference room systems, then end-to-end encryption won’t be able to be used, and Zoom meetings still will be able to be accessed by Zoom employees. What if one of the research or development employees in China, for trust and safety reasons, joined your meeting to tackle abuse in real time?  Would they have to report what they heard to the Chinese “internet police force”?   Zoom’s offer of end-to-end encryption to free users is a good beginning, but it is just a beginning.  As DHS said in its report, any organization currently using – or considering using – Zoom should evaluate the risk of its use.       

The right of erasure – What does it mean to get “erased”?

The right to erasure, also known as the “right to be forgotten,” gives the individual the ability to have personal data erased when one of the following grounds applies:

  • The personal data are no longer necessary for the purposes for which they were collected and processed
  • The legal ground for the processing is consent and the individual has withdrawn his or her consent and there is no other legal ground for processing
  • The individual objects to the processing and there are no overriding legitimate grounds for the processing
  • The personal data have been unlawfully processed
  • A legal obligation requires erasure of the personal data
  • A child’s personal data were collected over the internet

A controller, who must erase personal data and who has made that personal data public, must take reasonable steps to inform controllers who are processing that personal data that the individual has requested erasure by them of any links to, or copy or reproduction of, that personal data. 

The obligation to erase and the obligation to inform other controllers does not apply where processing is necessary:

  • For exercising the right of freedom of expression and information
  • To comply with a legal obligation which requires processing or to perform a task carried out in the public interest or in the exercise of official authority
  • For reasons of public interest in the area of public health
  • For archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
  • To establish, exercise or defend legal claims

Any erasure must be disclosed to each recipient to whom the personal data have been disclosed, unless it is impossible or involves disproportionate effort.  The individual must be informed about those recipients if he or she so requests. 

This blog is the eighth in a series of blogs that describes and explains the eight individual rights set forth in the GDPR.  If you don’t want to wait until the next blog to learn more about the GDPR and the individual rights in the GDPR, take a look at GDPRsimple, http://www.keepgdprsimple.com, an automated web and mobile tool, that can help SMEs implement the GDPR and demonstrate their implementation.

Next blog:  What is the right to restrict processing?

Hold Up Hungary, Individual Rights cannot be Suspended

In an earlier blog, I wrote that the UK and Irish regulators are being more lenient about the amount of time it may take for organizations to respond to individual rights requests.  On May 4, 2020, the Hungarian government issued a governmental decree suspending the rights of individuals under Articles 15 through 22 of the General Data Protection Regulation (GDPR) – the rights of access and the rights to rectification, erasure, restriction of processing, data portability, object, and be subject to automated individual decision-making, including profiling.  The suspension was until the end of the state of emergency that was declared due to the coronavirus pandemic.

Last week, on June 2, 2020, the European Data Protection Board (EDPB) issued a statement criticizing the action of the Hungarian government.  It stated in part:

  • Legislative measures which seek to restrict the scope of individual rights must be foreseeable to the persons subject to them, including with regard to their duration in time, and because the restrictions were imposed for a duration not precisely limited in time, they did not meet the foreseeability criterion.
  • Restrictions must be a necessary and proportionate measure to safeguard an important objective of general public interest such as public health.  Individual rights can be restricted but not denied, and in the EDPB’s view, restrictions suspending or postponing the application of individual rights, without any clear time limitation, equates to a de facto suspension of those rights and amounts to a complete obstacle against the exercise of the rights themselves.

The EDPB’s statement in response to the Hungarian government’s action is a reminder that, during the pandemic, even though a state of emergency exists, the individual rights set forth in the GDPR are still in effect.  Organizations, as needed, may take addition time to respond to requests from individuals, but they still must respond to those requests.  GDPRsimple, www.keepgdprsimple.com, an automated web and mobile tool, can help businesses respond to individual rights requests under the GDPR and keep track of the requests and their responses to them. 

What is the right to rectification?

The right to rectification gives the individual the ability to have inaccurate personal data concerning him or her corrected.  Personal data is inaccurate if it is incorrect or misleading as to any matter of fact.  This right also gives the individual the ability to have incomplete personal data completed, including by providing a supplementary statement.

Any rectification must be disclosed to each recipient to whom the personal data have been disclosed, unless it is impossible or involves disproportionate effort.  The individual must be informed about those recipients if he or she so requests.      

Under the right to restrict processing, an individual has the right to request restriction of the processing of his or her personal data where its accuracy is being contested and you are checking it.  As a matter of good practice, processing of the personal data in question should be restricted while the accuracy of the personal data is being verified, whether or not the individual has exercised his or her right to restrict processing. The right to restrict processing will be the subject of a future blog.

If you are satisfied that the personal data is accurate or is complete, you should let the individual know and tell the individual that you will not be correcting or completing the personal data. You should explain your decision and inform the individual of his or her right to make a complaint to the appropriate supervisory authority and of the ability to seek to enforce his or her rights through a judicial remedy.

This blog is the seventh in a series of blogs that describes and explains the eight individual rights set forth in the GDPR.  If you don’t want to wait until the next blog to learn more about the GDPR and the individual rights in the GDPR, take a look at GDPRsimple, http://www.keepgdprsimple.com, an automated web and mobile tool, that can help SMEs implement the GDPR and demonstrate their implementation.

Next blog:  What is the right to erasure?