Putting in place means to facilitate the exercise of the GDPR data subject rights is key to achieve compliance with the Regulation. In this section you will find information about the data protection rights and how data subject requests should be handled.
What are the GDPR data subject rights
To strengthen the control individuals have over their own personal data, the European data protection framework grants them several rights. The GDPR data subject rights are set forth in articles 12 to 22 and they bind controllers to facilitate their exercise.
Right of information or transparency
The right of information or transparency obliges you to provide information to data subjects about the processing of their personal data. The information you need to provide and the periods to answer an information request varies depending on whether you obtained the information from the data subject or a third party.
What information must be provided
Depending on whether you obtain the data from the data subject or from third source, you need to provide the following information:
|Information to provide||Data subject||Other source|
|Your identity and contact details||✔||✔|
|The representative’s identity and contact details||✔||✔|
|DPO’s contact details||✔||✔|
|Purpose of the processing||✔||✔|
|Legal basis for the processing||✔||✔|
|Categories of personal data||✔||✔|
|International transfers of data||✔||✔|
|GDPR data subject rights||✔||✔|
|The option to withdraw consent||✔||✔|
|The right to lodge a complaint with a supervisory authority||✔||✔|
|The source of the data||✖||✔|
|Statutory or contractual requirement||✔||✖|
|Automated decision-making or profiling||✔||✔|
|Processing for different purposes||✔||✔|
At what moment the information must be provided
If the data is gathered from the data subject, then you need to inform them at the moment you collect that information.
In the event the individual’s data is collected from other source, you need to inform:
- within a reasonable period after obtaining the personal data, but at the latest within one month, having regard to the specific circumstances in which the personal data are processed;
- if the personal data are to be used for communication with the data subject, at the latest at the time of the first communication to that data subject; or
- if you envisage to disclose the data to another recipient, at the latest when the personal data are first disclosed.
Where the provision of information is not necessary
In general, you do not need to provide data subjects with information if they already possess that information.
In the event that you have collected the information from a third party, then you are not required to inform data subjects when the provision of such information proves impossible or would involve a disproportionate effort.
And when the provision of the information can be considered impossible or to involve a disproportionate effort? Such is the case, in particular, when the processing is carried out for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, or to the extent that fulfilling this obligation is likely to render impossible or seriously impair the achievement of the objectives of that processing.
To meet this exception, Recital 62 of the GDPR states that it is necessary to consider the number of data subjects and the age of the data. In addition, you are required to take appropriate safeguards to protect the rights and freedoms and legitimate interests of the data subjects, including making the information publicly accessible.
In addition, where the information is collected from other source you do not need to provide the information where:
- obtaining or disclosure is expressly laid down by Union or Member State law to which you are subject; or
- where the personal data must remain confidential subject to an obligation of professional secrecy regulated by Union or Member State law, including a statutory obligation of secrecy.
The layered approach
In light of the volume of information which is required to be provided to the data subject, a common practice backed by the EDPB is to structure the information in layers. In order to implement a layered privacy statement or notice, it is not sufficient to request a checkbox where any information is provided and there is only a link to the privacy notice. The EDPB, in the Guidelines on transparency under Regulation 2016/679, states:
The design and layout of the first layer of the privacy statement/ notice should be such that the data subject has a clear overview of the information available to them on the processing of their personal data and where/ how they can find that detailed information within the layers of the privacy statement/ notice.
Regarding the information that must be provided en the first layer it varies depending on the EU Member State local law.
In Spain, the Spanish Data Protection Act (LOPDGDD) requires the provision of the following information:
- the identity of the controller and of the representative, where applicable;
- the purpose of the processing
- the possibility to exercise the gdpr data subject rights;
- where applicable, the existence of automated decision-making and the right to objection;
Right of access
The right of access empowers data subjects to obtain from you confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, a copy of that personal data. Furthermore, they are also entitled to request the following information:
- the purposes of the processing;
- the categories of personal data concerned (health, financial, professional…);
- the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
- the envisaged period for which the personal data will be stored;
- the existence of the right of rectification, erasure, restriction or objection and the right to lodge a complaint with a supervisory authority;
- where the personal data are not collected from the data subject, any available information as to their source;
- the existence of automated decision-making, including profiling, information about the logic involved, the significance and the envisaged consequences.
Any of the privacy information mentioned above must be provided free of cost. However, for any further copies of the personal data that you are requested you are allowed to charge a reasonable fee based on administrative costs.
As explained below, you may also charge a fee or refuse to respond to a request when that request is unfounded or excessive, particularly because of their repetitive character.
Where a request is to be considered unfounded or repetitive is a matter which is left open in the GDPR, therefore it must be addressed by the Member State law.
In Spain, the Spanish Data Protection Act (LOPDGDD) states that an access request shall be deemed as repetitive where there are more than one requests within a period of six months, unless there is a legitimate cause.
Conversely, the request shall be deemed excessive when carried out by means other than those made available by the controller. In that case, the requesting party will bear the exceeding costs of their election and the controller will be entitled to respond to the request with no deadline but without undue delays.
Right of rectification
The right to rectification allows data subjects to request rectification of their personal data where inaccurate and completion of their personal data where incomplete, which may be executed through an additional statement.
In addition, the GDPR states that you shall communicate any rectification of personal data to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. This obligation is also applicable to the GDPR data subjects rights erasure and restriction of the processing.
Finally, you shall also take into account that Local Member State law may introduce further specifications to this right. For instance, the Spanish Data Protection Act (LOPDGDD) requires from data subjects that their requests include the data to be rectified and, where necessary, the appropriate documentation to justify the inaccuracy or incompleteness of the data.
Right to erasure (right to be forgotten)
The right to erasure, or right to be forgotten, entitles data subjects to request the erasure of their personal data where one of the following grounds applies:
- the personal data are no longer necessary in relation to the purposes for which you collected or processed them;
- the processing is based on consent and the data subject has withdrawn consent, unless there is other legal ground for the processing;
- the data subject objects to the processing;
- the personal data have been unlawfully processed (in breach of a law or with no legal grounds);
- the personal data have to be erased for compliance with a statutory obligation;
- the personal data were collected from a child below the age of 16 without authorisation or consent by the holder of parental responsibility over the child.
The right to erasure requires you to erase personal data. There are, however, situations where instead of erasing the data the law obliges you to block the data. GDPR Article 17.3 introduces five cases where the obligation to erase the personal data is lifted. These are the following:
- for exercising the right of freedom of expression and information;
- for compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority;
- for reasons of public interest in the area of public health;
- for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in so far as erasure would be likely to render impossible or seriously impair the achievement of the objectives of that processing; or
- for the establishment, exercise or defence of legal claims.
Finally, the GDPR states that you shall communicate any erasure of personal data to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. This obligation is also extensible to the data subjects rights rectification and restriction of the processing.
Right to restriction of processing
The right to restriction of processing is limited and may be exercised by data subjects in the following scenarios:
- Where they contested the accuracy of the personal data, you can restrict the procesing for a period that enables you to verify the accuracy of the personal data;
- The processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
- You no longer need the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
- The data subject has objected to processing but you opposed the existence of compelling legitimate grounds. In that case, you can restrict the processing while you verify whether or not your compelling legitimate grounds override the data subject right.
Right to data portability
One of the new GDPR data subject rights is the right to data portability. This right allow data subjects to request:
- delivery of the personal data concerning them which they have previously provided you, or
- transmission of their personal data directly to another controller, where technically feasible.
In addition, personal data thus communicated must be delivered in a structured, commonly used and machine-readable format.
This right can only be requested where:
- the processing is based on consent or on a contract, and
- the processing is carried out by automated means.
Right to object
Data subjects may object to the processing of their personal data where:
- the processing of their personal data is based on public interest or legitimate interest and the data subject claims a particular situation which justifies stopping the processing;
- you use their personal data for direct marketing purposes; or
- personal data are processed for scientific or historical research purposes or statistical purposes and the data subject particular situation justifies objecting to the processing of his or her personal data, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
Right to not be subject of individualised decisions
The last data protection right that you need to consider is the right that data subjects have to not be subject of decisions based solely on automated processing which produces them legal effects or similarly affects them.
And the same applies to the processing of personal data with the purpose of profiling, which covers those situations where aspects of individuals are analysed in order to predict their behaviour.
Notwithstanding the above, you may still take automated decisions where:
- it is necessary for entering into, or performance of, a contract between you and the data subject; or
- it is based on the data subject’s explicit consent.
In both cases the GDPR requires you to implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, and at least the right to obtain human intervention, to express his or her point of view and to contest the decision.
Automated individualised decisions or profiling may also be taken lawfully where it is authorised by Union or Member State law, provided these regulations lay down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests.
Finally, in order to take automated individualised decisions based on special categories of personal data (gdpr sensitive personal data), the GDPR Article 22.4 requires explicit consent or a public interest ground and the adoption of suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests.
How to respond to GDPR data subject rights requests
Form of the response
The GDPR states that the information shall be provided in writing, or by other means, including, where appropriate, by electronic means. The information may also be provided orally then the data subject has requested it orally, provided that the identity of the data subject has been proven by other means.
Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.
Period to respond to gdpr data subject rights
GDPR Article 12 states that gdpr data subject rights requests must be responded without undue delay and in any event within one month of receipt of the request. However, that period may be extended by two further months where the complexity and number of the requests make it necessary. In such event, you the GDPR requires you to inform the data subject of such extension within one month of receipt of the request, together with the reasons for the delay.
Duty of identification
Prior to executing the GDPR data subject rights requests you need to identify the individual.
Identifying the individual does not mean requesting their national ID card. Actually there may be scenarios where collecting the data subject’s ID card with the sole purpose of identification might be considered excessive and against the law.
The information which you need to request in order to identify an individual depends on the context of the processing and the data protection right requested.
For instance, where a subscriber from your mailing list requests that their data is no longer used for marketing purposes, to identify that individual it would be enough quiring their mailing address.
Conversely, if the same individual requests instead a copy of all the personal data concerning him or her that you hold on your servers, then probably the identification solely by the mail address would be insufficient and it would make much more sense to ask for the national ID card.
Finally, if an individual refuses to provide you with a proof of his identity you might then choose to not carry out his or her request.
Fees for answering GDPR data subject rights requests
You may charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested where you consider that the data subject request is manifestly unfounded or excessive, in particular because of their repetitive character.
When you can refuse to respond data subject requests
You are entitled to refuse to act on a request whenever that request is manifestly unfounded or excessive, in particular because of their repetitive character.
In that case, you need to inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.