Data Subject Rights - GDPR
You can download a full copy of the slides from this webinar.
Full transcript available below:
Good afternoon. Thank you for joining the webinar today. We're going to give everyone just a couple more minutes to join and then we'll start the webinar. Good afternoon and thank you for joining today's webinar Prepare your firm for GDPR hosted by me Bethany Sirven of MyComplianceOffice with feature presenter Emily Mahoney.
Finally, data subject rights. There's a lot to cover here and I'll run through it. Basically, the GDPR has expanded data subject rights. First will be the right of restriction.
A data subject's right to restrict processing if that as opposed to erasing their data. If the accuracy of the personal data is contested or their processing is unlawful, if in a situation the data subject or if the personal data is no longer needed for its original purpose, but it's necessary to establish or exercise defend legal rights. You're going to request, the data subject will request the restriction of processing, but they don't want you to erase it yet for any particular, for a reason to defend their legal rights or if their pending verification where an individual objects to the processing and you're evaluating whether that objection is valid. |
Next, you heard a lot about right to be forgotten. I'm sure a couple years back, that's the right to erasure. There's a variety of situations where an individual can request erasure and I hope you're thinking about this both as a company, but this is also yourselves as data subjects when you would have a right to request a data controller or processor to erase your data. |
You can request data to be erased in specified circumstances, for example, it's no longer necessary or your consent, you're withdrawing your consent and there's no other ground to process data. Next, the subject access request. This existed under the directive, but there are changes to the costs, timelines and entity's ability to refuse request. |
Basically, under the directive, an entity had a right to charge in this situation. You will not unless it's the data subject, the subject access request is manifestly unfounded or excessive. If you find customers requesting a copy of all information held by you, you must comply with the subject access request without undue delay and at the latest within one month. |
There are extensions permitted in some limited cases. Next, the right to data portability where a data subject can receive, personal data concerning him or her in a structured, commonly used and machine readable format and to be able to transmit that data to another controller without hindrance from the controller which provided the personal data. |
This right only applies to personal data that a data subject is actually provided to control. Finally, the right to rectification. This is the right where a data subject and request an accurate personal data concerning him or her to be rectified without undue delay. If I feel the data you hold on me and your systems is incorrect, my birth date is incorrect for example, you must change it without undue delay. |
Also, this would include a right to have my ... If you hold incomplete personal data and I wanted it to be completed, you would have to comply within reasonable time. Okay, next slide. Finally, I included another page on data subject rates because about the right to object. The directive allow the data subject to object to the processing of their data and now the GDPR extends this right? |
The directive permitted data subjects to object to the processing of their data on compelling legitimate grounds were the basis for the processing, the basis for which you originally collected or in processing the data was either that the processing was in the public interest or in the legitimate interest of the controller. |
They could object and also, in relation to processing for direct marketing. The GDPR similarly does not contain a general right to object, however, it does provide certain instances and respect where a data subject is given that right. For example, again under the GDPR, this right to object applies if you're using legitimate interest or a public interest test to have to process the data, but then you can try to contest that objection if you can show an overriding, compelling legitimate grounds to process that data, but what's important in this situation especially if you engage in direct marketing is that ... Excuse me, a data subject will always have a right to object to processing their data for direct marketing. |
Any further processing in that regard is precluded. That's pretty important too to remember. Then as part of your accountability and transparency requirements and obligations under the GDPR, you must inform the data subject of their right to object. It must be explicitly brought to their attention and be presented clearly and separately from other information. |
|
This webinar was co-hosted with Mason Hayes & Curran www.mhc.ie |