A key issue in the data and digital arenas is the protection of your personal information, a matter of increasing importance with the recent introduction of the General Data Protection Regulation (GDPR). Adopted in April 2016, it replaces the 1995 data protection directive (Directive 95/46/EC), and is now the new primary text on this subject.
The GDPR strengthens and clarifies the rights of physical persons whose personal information is processed, and the obligations of entities that handle the processing of such data. To understand the key aspects, we recommend watching our video “GDPR : 1 minute to understand and take action“. It will have to be implemented by EU Member States from 25 May 2018.
New requirements for consent
Where data processing is based on the consent of the person concerned, the request for consent must be made in clear and simple terms, particularly when addressed to a child. Consent must be given in the form of a positive action. Silence, inactivity or a box checked by default cannot therefore be construed as agreement. Furthermore, consent can be withdrawn at any time.
Strengthening the rights of people whose data is collected
The regulations clarify existing rights and create new ones. Thus those whose data is processed have the following rights:
Information (Articles 13 and 14): when the data is collected from the subject or from another party, they must be notified of several pieces of information. These include the purpose of the processing and the rights that the subject has.
Right of access
Right of access (Article 15): the subject has the right to seek confirmation whether the data has been processed, and if so, access to that data and certain information such as that mentioned above.
Right to rectification
Right to rectification (Article 16): the subject has the right to obtain rectification of inaccurate data without undue delay, and to have incomplete data completed.
Right to erasure
Right to erasure(Article 17): subjects have the right to have their personal data erased without undue delay when they withdraw consent to the processing, when they object to it, when the data is no longer required for the purpose for which it was collected, where it was processed unlawfully, or for compliance with a legal obligation, except in certain cases. If the controller has made the data public, it must inform other data controllers that process it that this data and all copies of it must be erased.
Right to restriction of processing
Right to restriction of processing (article 18): subjects have the right to have processing restricted where they object to it, where they contest the accuracy of the data, where the processing is unlawful, or where they require it to establish, exercise or defend legal claims.
Right to portability
Right to portability (article 20) : where the processing is based on consent or on a contract, and carried out using automated processing, the person concerned has the right to receive the data in a currently used, machine readable and interoperable structured format, and to pass it on to another controller without hindrance from the initial controller.
Right to object
Right to object (article 21): subjects have the right to obect at any time to the processing of data, except when this is required for a task in the public interest or where there are compelling legitimate grounds for the processing. They can also object to processing performed for direct marketing purposes.
Automated decision-making (article 22): subjects have the right not to be subject to a decision based solely on automated processing, including profiling, which has legal effects the regarding them, except when this decision is required to conclude or perform a contract, is legally authorised, or is based on the subject’s consent.
In an era where it is possible to communicate your personal information with a click, Regulation (EU) 2016/679 can be seen as a sensible measure, insofar as it grants a range of that allow some control over what is done with our data. In another article to appear soon we will look at the obligations of data controllers and subcontractors.