Data Subject Rights under the GDPR Niall Rooney 28/09/2017 Note: These slides and the accompanying presentation contain a general summary and are not a complete or definitive statement of the law. Specific legal advice should be obtained where appropriate.

Introduction Privacy and data protection are fundamental rights in the EU Not absolute rights Must be balanced against other fundamental rights Data protection law strikes a balance between individuals’ rights, the needs of society, and the rights of organisations to process personal information. Current law has been overtaken by technology and globalisation. The GDPR is a new legal framework, backed by strong enforcement, create trust to allow digital economy to grow, enhance legal and practical certainty for individuals, businesses and public bodies. Focus on ensuring personal data is protected, giving people more control over their personal data, and making it easier for them to access it. New and enhanced rights for individuals Increased compliance obligations for organisations Enforcement, sanctions and liability

Data subject rights under the GDPR Information Access Rectification (correction) Erasure (right to be forgotten) Restriction Objection Data portability Automated decision-making Personal data security breach Complaint Effective judicial remedy

EU Charter of Fundamental Rights Article 8 Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. GDPR Recital 7 Natural persons should have control of their own personal data. Article 12 The data controller must facilitate the exercise of data subject rights. The data controller must take appropriate measures to provide information and communications in a concise, transparent, intelligible and easily accessible form, using clear and plain language.

Data subject ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’) A living person whose personal data is collected, held or otherwise processed. Identifying data subjects Data controller must not refuse to give effect to data subject rights unless can demonstrate not in a position to identify the data subject, and the controller must use all reasonable measures to verify identity. Where controller has reasonable doubts as to identity, may request additional information necessary to confirm identity. Data subjects resident outside EU The GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU, regardless of whether the processing takes place in the EU or not.

1. Information Art 13, 14 Fair and transparent processing of personal data. Right to get certain specified information from the data controller, at the time the personal data is obtained. Typically, this is provided through a privacy notice. When personal data is obtained directly from the data subject, the specified information must be provided by the controller at the time the data is obtained. Where the controller does not obtain the personal data directly, the controller must within one month of having obtained the data provide the data subject with the specified information. If the controller intends to further process the personal data for a purpose different than for which originally collected, the controller must provide a new notice covering the new processing.

Privacy notice (Subject provides the data) Controller identity and contact details The right to lodge a complaint with a supervisory authority. DPO contact details, where applicable Whether controller uses automated decision-making (including profiling), and information about logic involved, and significance and consequences of processing for the data subject. Purposes of processing Legal basis for processing Legitimate interests, where applicable Recipients or categories of recipients Whether the provision of personal data is a statutory or contractual requirement or obligation, and the consequences of failure to provide such data. Details of transfers outside EEA and safeguards in place Retention period, or criteria used to determine it Data subject’s rights including access, correction, erasure, restriction, objection, data portability Where processing based on consent, the right to withdraw it at any time

Privacy notice (Third Party provides the data) Same information as required when the data controller collects personal data directly from a data subject. However, must also add the following to the notice: the categories of personal data concerned, and the source(s) of the personal data including, if applicable, whether it came from publicly accessible sources.

2. Access Art 15 A data subject has the right to obtain from a data controller confirmation that his or her personal data is being processed a copy of the personal data on request (unless adversely affects the rights and freedoms of others) Other information about the processing, including purposes; categories of personal data; recipients; retention period; rights to correction, erasure, restriction, objection; right to make complaint to supervisory authority; personal data source(s) if collected from third party; whether controller uses automated decision-making, including profiling, the logic used, and consequences of processing for the data subject. When the data subject makes the request electronically, must provide the information in a commonly used electronic form, unless the data subject requests the information in a different format. If requested, the information may be provided orally, provided that the identity of the data subject is proven by other means.

Responding to access requests The data controller must provide “a copy of the personal data undergoing processing” and must respond within one month of receipt of the request. May extend by two months where necessary, taking into account complexity and number of requests, but must inform data subject of extension within one month of receiving request and state reasons for the delay. The information provided and any actions taken are free of charge. Where requests are “manifestly unfounded or excessive, in particular because of their repetitive character”, the controller can charge a reasonable fee to provide the information or take the action, or can refuse to act on the request. If refuse, must within one month explain why and inform data subject of right to make a complaint and to a judicial remedy. If controller has reasonable doubts about identity of the requestor, may request additional information to confirm the identity of the data subject.

Motive? Scope? Purpose of the right of access under the GDPR: A data subject has the right of access to personal data “in order to be aware of, and verify, the lawfulness of the processing” (Recital 63). It is the task of the right to access under data protection legislation to make available to the person concerned access to his own data, where otherwise no right of access exists. SARs as a litigation tool? Existence of legal proceedings between data subject and controller is not an exception to the right of access – it does not preclude the data subject making an access request nor justify the controller in refusing the request. An access request is not invalid if it is made for the collateral purpose of assisting with litigation. Requests for large amounts of personal data: Where controller processes a large quantity of personal data, may request data subject “to specify” the information or processing to which the request relates (Recital 63). Also consider whether request is manifestly unfounded or excessive, in particular because of repetitive character

3. Rectification (correction) Art 16 Personal data must be accurate and kept up to date, and inaccurate data erased or rectified without delay. A data subject is entitled to have inaccurate personal data held by the data controller corrected have incomplete personal data held by the data controller completed Controller must inform recipients to whom data has been disclosed, unless this proves impossible or involves disproportionate effort One month (extendible two months, complex or numerous)

4. Erasure (‘right to be forgotten') Art 17 A data subject has the right to request erasure of personal data that a data controller holds about him or her if: The data is no longer necessary for the purpose for which originally collected or processed Consent is withdrawn, and no other legal basis for processing The data subject objects to the processing and no overriding legitimate grounds for continuing the processing The personal data was unlawfully processed The personal data has to be erased to comply with an EU or Member State legal obligation The personal data was processed in relation to the offer of information society services to a child One month (extendible two months, complex or numerous) If controller has made the personal data public, it must take reasonable steps, including technical measures, to inform other data controllers to erase any links to, copies or replications of the data. Where a data subject has disclosed the personal data, the controller must inform recipients inform them about the erasure of the personal data, unless it is impossible or involves disproportionate effort to do so.

Refusal of request for erasure Can refuse request where processing is necessary: for exercising the right of freedom of expression and information for complying with a legal obligation under EU or member state law for performance of a task carried out in the public interest or exercising official authority vested in the data controller for public health reasons for certain archival (public interest, scientific or historical research) or statistical purposes for the exercise or defence of legal claims

5. Restriction Art 18 A data subject is entitled to restrict processing of personal data when: accuracy of the personal data is contested by the data subject the processing is unlawful the controller has no further need for the data, but the data subject requires the data to exercise or defend a legal claim data subject has objected to the processing pending verification whether legitimate grounds of controller override those of data subject When processing is restricted, a controller may store the personal data, but cannot further process it unless data subject consents necessary to exercise, or defend a legal claim necessary to protect the rights of another individual or legal entity necessary for public interest reasons

6. Objection Art 21 A data subject can object to certain types of processing: for direct marketing purposes (no exemptions or grounds to refuse) for processing based on legitimate interests or performance of a task in the public interest or exercise of official authority for certain [scientific or historical] research purposes or statistical purposes Must notify individuals of this right at an early stage - clearly and separately from other information Where processing carried out online, the data subject must be able to exercise this right by automated means (to object online) Controller must comply unless: can show compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or the processing is necessary for the exercise or defence of a legal claim

7. Data portability Art 20 The data subject has a right to data portability, including: to receive a copy of the personal data from the data controller in a structured, commonly used and machine-readable format to transmit it to another controller, including directly from one controller to another, where technically feasible. The right only applies: to personal data which is processed by automated means to personal data which the data subject has provided to the controller where the processing is based on the data subject’s consent or for the performance of a contract The right does not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. The right must not adversely affect the rights and freedoms of others. One month (two months, complex or numerous)

8. Automated decision-making Art 22 A data subject has the right not to be subject to: a decision based solely on automated decision-making (including profiling) which produces a legal effect or a similarly significant effect on him or her Unless the automated decision is: necessary for entering into or performing a contract between the data subject and the data controller based on the explicit consent of the data subject authorised by EU or Member State law Controller must ensure safeguards for data subject are in place (at minimum, obtain human intervention, express point of view, contest the decision). ‘profiling’ – any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a person -- in particular to analyse or predict aspects concerning that person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

9. Personal data security breach Art 34 When a personal data breach is likely to result in a high risk to a data subject's rights, the data controller must notify the data subject without undue delay. Must describe nature of security breach in clear and plain language, and include at least the following information: name and contact details of DPO or other contact person; likely consequences of the data breach measures taken or proposed to address the breach including where appropriate to mitigate its possible adverse effects Data controller is not required to notify data subjects of a personal data breach under certain limited circumstances: Appropriate technical and organisational measures render the personal data unintelligible, for example, when the controller encrypts the personal data. The controller has taken steps which ensure the data subject's personal data is no longer subject to high risk. Notifying data subjects would involve disproportionate effort; the data controller can notify data subjects by a public communication or other equally effective measure.

Restrictions Member States may restrict the scope of subject rights (Articles 12-22; 34) where this is necessary and proportionate to safeguard: national security defence public security the prevention, investigation, detection or prosecution of criminal offences or execution of criminal penalties, including safeguarding against and prevention of threats to public security other important objectives of general public interest of the EU or a Member State, in particular an important economic or financial interest of the EU or a Member State, including monetary, budgetary and taxation a matters, public health and social security the protection of judicial independence and judicial proceedings the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions a monitoring, inspection or regulatory function connected, even occasionally, to the exercise of official authority in the cases referred to in points (a) to (e) and (g); the protection of the data subject or the rights and freedoms of others the enforcement of civil law claims

10. Complaint A data subject has the right to lodge a complaint with the supervisory authority if he or she considers that the processing of personal data relating to him or her infringes the GDPR In other words, that their personal data has been processed in a way that does not comply with the GDPR The supervisory authority must inform the complainant on the progress and the outcome of the complaint The individual has the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning him or her The individual has the right to an effective judicial remedy where the supervisory authority fails to deal with a complaint or fails to inform the individual within 3 months of the progress or outcome of the complaint

Powers of the supervisory authority Corrective powers include: to order the data controller or processor to comply with the data subject's requests to exercise rights pursuant to the GDPR. to order the data controller to communicate a personal data breach to the data subject. to order the rectification or erasure of personal data or restriction of processing and the notification of such actions to recipients to whom the personal data have been disclosed.

11. Effective judicial remedy A data subject has the right: to sue a data controller or data processor if he or she considers that his or her rights under the GDPR have been infringed as a result of the processing of his or her personal data in non-compliance with the GDPR to receive compensation from the controller or processor for damage suffered (material and non-material damage) Not strict liability – Controller or processor exempt from liability if can prove “not in any way responsible” for the event giving rise to the damage. A data processor will only be liable for the damage caused by processing insofar as it has failed to comply with the GDPR processor-specific obligations or has acted outside the instructions of the data controller. Where a controller and processor are engaged in the same processing, and both are responsible for the damage, jointly liable for the entire damage. Potential for group legal actions is also facilitated by the GDPR.

Data processors Controllers must use processors who can provide “sufficient guarantees” that processing will meet GDPR requirements and ensure protection of the rights of data subjects. Data processors have direct responsibilities and obligations under the GDPR, outside the terms of their contracts, and processors can be directly subject to: complaints by data subjects to the supervisory authority direct enforcement by the supervisory authority legal actions by individuals (but only liable insofar as have failed to comply with processor-specific GDPR obligations or acted outside of controller’s instructions)

What should data controllers do? Actions controllers can take to satisfy GDPR obligations and help the exercise of data subject rights include: Implement internal procedures and policies to facilitate the exercise of data subjects’ rights. Review and update privacy notices to ensure they are compliant, satisfy information obligations, and clearly communicate the data subject’s rights. Implement internal procedures and policies for handling and responding to data subject requests in a timely and appropriate manner. Implement authentication procedures to verify identity of data subjects. Develop template response letters and forms to collect additional information (for preparing data subject request responses). Create an inventory or log for recording subject access requests and tracking responses. Develop interoperable formats and other means to allow data portability. Review IT system requirements (e.g. erasure, restriction, data portability). Review all profiling activities and implement policies and procedures on automated decision-making. Review processes, procedures and training for customer-facing staff.

https://ico.org.uk/for-organisations/data-protection-reform/