Persons whose personal data have been collected by an organization are called data subjects. There are many debates about what constitutes personal data, and data sets tracked and analyzed by organizations. The purpose of this post is to explain the rights of data subjects and explain the basics of how they generally apply regarding GDPR laws.
What is a Data Subject?
A data subject is identified by the General Data Protection Regulation (GDPR). This is a person whose personal data is processed by a controller or processor in the context of a specific task. The GDPR defines this task as the execution of a contract between the above person and the controller or processor. Simply put, a data subject is a person whose data is being processed. Data subjects have a right of access to information about themselves via DSAR or ( DATA SUBJECT ACCESS REQUESTS ) and to have it corrected/ modified or erased. In general, data subjects have a right to access information, erase personal data, a right to object to processing, a right to data portability, a right to data integrity, and a right to complain to a supervisory authority.
What Are Controllers And Processors?
Under GDPR, data controllers and processors have clearly defined roles and responsibilities that each must carry out within an organization.
What Is A Controller?
Organizations collect and use personal data according to the purposes determined by their data controller. Data controllers can be individuals or groups, as long as they can determine how and why data should be processed. Additionally, the data controller must evaluate:
- The types of personal data that an organization should collect.
- Determine Whose personal data should be collected.
- Determine Who will have access to the information.
- Data subjects’ rights when and where they apply.
- Data retention period.
What Is A Processor?
A processor acts under the authority of a controller. Instead of serving their own interests, they serve those of the controller. A lot of the responsibilities and principles of the controller and data processor are similar under GDPR. In contrast, the GDPR adopts a very different stance concerning data processors, providing them with direct obligations that they can enforce. GDPR compliance is a shared responsibility between both parties. A data processor should generally be able to:
- Assure that data processing logistics are in order.
- Establish a method for storing the collected information.
- Secure the information.
- Establish a process for transferring personal data.
- Ensure that retention schedules are followed.
- When sensitive data is no longer needed, consider how to dispose of it.
What Are the Rights of Data Subjects?
Under the GDPR, a data subject has many rights afforded to them regarding their data. These can be as straightforward as knowing what data is being collected about them, to the more complex such as the right to find out and stop any profiling resulting from the data collection.
The Right To Information
As the most visible part of GDPR, you’ll often see a pop-up that tells you what data the business is collecting. However, it goes further by the fact that you should be able to contact them directly to get a complete overview of precisely what they collect about you and your interactions with their product or service.
Being Able To Access Personal Data
Data subjects can request access to data at any time. When they do, the organization must oblige and provide them with precisely what they have requested. The period for producing this information is one month, with exceptions for requests that fall into the realm of excessive or repetitive. For example, a data subject may ask for their data, and the company must provide it within one month. However, if that data subject is repeatedly filing requests, exemptions may be granted.
Having The Ability To Correct Information
Due to the internet being a generally anonymous place, there are often times when someone has incorrect information posted about them. Therefore, GDPR allows a data subject to request a correction. This is also used when an organization displays erroneous information. You can request that they correct it, and they have one month to comply. Similar exemptions to the right to access apply here.
The Right To Erase Data
An individual may request that information being stored in them is completely erased. Whatever the request, an organization must comply, and it is more commonly known as the right to be forgotten. Some examples of why an individual might want to be erased includes:
- The information was collected unlawfully.
- The individual no longer agrees to their information being stored.
- The way the data was collected is no longer lawful (even if it was when gathered).
The Ability To Restrict What Is Processed
Organizations may limit how they use personal data if individuals request it. An individual may use this method instead of asking for the erasure of their data when confronted with inaccurate personal information. Individuals can exercise this right when they have stopped using a product or service for which the information was collected, but the organization needs it for legal reasons.
The Ability To Transfer Your Personal Data
Whenever you change organizations, you can request that your records be transferred from one to the other. You can use this in conjunction with the power of erasure and to access information.
Having The The Right Of Objections
Individuals may request an objection to an organization that pertains to how they use the data. However, a data subject must have grounds for doing so, and if the organization needs this data for legal reasons, they could override your request. Unless organizations can prove a compelling reason for processing information that trumps each individual’s interests, rights, and freedoms, they must cease processing information.
Having Rights Regarding Automated Decisions
Although strict rules already exist involving profiling, it is sometimes the case that automated systems carry this out inductively. A data subject may request to review how the information is being processed if they feel that profiling has occurred. An organization must comply with this request and may even have to fix their automated systems if they are found to be profiling people based on their data.
In response to the increased awareness about the amount of data that organizations collect about them, more individuals are demanding greater control over the use of that data. GDPR was the response to this, and as a result, data subjects can request information about what data is collected, how they use it, and ultimately decide to modify or erase it under GDPR.