The Eight User Rights Under the GDPR

The Eight User Rights Under the GDPR

The General Data Protection Regulation (GDPR) affects businesses around the world when it comes to their data processing activities. However, an alternative look at the GPDR exists when you consider it from the perspective of EU residents for the user rights it offers.

The GDPR concerns itself less with endlessly controlling the way companies process data and more with the rights of the people whose personal data gets processed. These eight user rights are expressed across the breadth of Chapter 3: Rights of the Data Subject.

The eight rights users have under the GDPR are aligned with the primary principles of transparency, security and accountability. These rights help the owner's of personal data hold businesses accountable by providing streamlined processes that hand back control of personal data to the people who own it.

These eight rights are:

  1. The Right to Be Informed
  2. The Right of Access
  3. The Right to Rectification
  4. The Right to Erasure
  5. The Right to Restrict Processing
  6. The Right to Data Portability
  7. The Right to Object
  8. The Right to Avoid Automated Decision-Making

Let's break down the rights expressed one-by-one to see what processes they involve and how you'll reflect them in your Privacy Policy.

1. The Right to Be Informed

1. The Right to Be Informed

The Right to Be Informed harkens back to the principles of transparency and accountability.

If you collect, process, or store personal data, then the data owner has a right to know the details related to those processes.

At a minimum, you need to provide clear access to the following information:

  • What types of data you process
  • Why you need it
  • What lawful basis underlines your processing
  • How long you intend to store the data
  • Whether you share the data
  • How data owners can learn more or exercise their rights

All this information comes together in your GDPR-compliant Privacy Policy.

A basic outline might look like Easyjet's Privacy Policy:

easyJet Privacy Policy Table of Contents

You can see the headlines reflect each piece of information that a user has a right to know about easyJet's data practices.

Within the policy text, you'll need to be specific about the practices covered. You don't need to outline every single detail of each process, but you do need to provide at least general categories and explanations.

Here's a look at a clause in Ryanair's Privacy Policy that explains what personal data the company collects:

Ryanair Privacy Policy: What personal data we collect clause

Ryanair shares information about the types of data it processes right away within its Privacy Policy. You don't need to hunt around or guess. It spells out every category of data it may collect and does so in an easy to follow list format.

2. The Right of Access

2. The Right of Access

The GDPR allows users to ask about any of their personal data and request information or access to it. Article 15 covers all the issues related to right of access and dictates companies provide access to the following information:

GDPR Info Article 15: Right of access by the data subject

You will need to give your data subjects access to the following information:

  • The purpose of processing the data
  • Categories of personal data that are processed
  • Any third-parties (specifically or categorically) that may have the data shared with them
  • If possible, how long the data will be stored. If not possible to be specific, disclose what criteria you will use to determine the storage period.
  • That users have the right to request rectification or erasure of data, or a restriction of processing the data
  • That users have a right to file a complaint about your practices with a supervisory authority
  • Whether you obtain user's data from any indirect sources when the data isn't obtained directly from them
  • Whether you engage in any automated decision-making with the data

What is your role in upholding this right?

Your job is to facilitate your users' ability to access their own data by answering questions about your data use. You do not have to provide in-depth answers about proprietary practices, but you do need to provide concrete answers about the individual's data.

As a business, you need to make providing these answers easy both under the law and for your own sake.

Begin the process by publishing a complete and detailed Privacy Policy that answers as many questions as possible about your general data processing measures.

To answer specific questions users have about how you process their unique data, you need to provide the necessary contact details in your Privacy Policy for users to get in touch with you.

The University of Leeds, located in the UK, adds a section for queries and complaints to its Privacy Policy:

University of Leeds Privacy Policy: Queries and complaints clause

Section 11 directs users to the University's Data Protection Officer so that their queries reach the individual who can answer them quickly.

3. The Right to Rectification

3. The Right to Rectification

Data accuracy is a fundamental principle in the GDPR's new legal landscape. "Accurate" isn't defined in the context, but a simple explanation falls under the understanding of the consumer's right to rectification of their data.

In the event that you find that data you have is inaccurate or misrepresents the facts, then you need to correct it. Data subjects also have the right to ask you to correct their data.

This is a user's Right to Rectification and it's highlighted in Article 16:

GDPR Info Article 16: Right to rectification

Data rectification requests may be rare, particularly in cases where users hand over their own personal data and have access to means (like profile settings) to update the information themselves. However, the GDPR requires you to be ready to meet those requests.

In most cases, it is enough to direct data rectification requests to your data protection team or the person responsible.You should also include the individual's right to rectification in your Privacy Policy.

Sinead Kennedy, a physical therapist and pilates teachers, uses a Privacy Policy that states that she is in control of the data policies for her business. She notes the right to rectification in her Privacy Policy and provides a method of contact in the same clause.

Sinead Kennedy Privacy Policy: Right to rectification clause

Alternatively, you can simply include it in a list of rights as The Marker Hotel does:

The Marker Hotel Data Privacy Notice: GDPR User Rights clause

Be sure to let your users know who to contact to utilize their rights by noting at the very least who the data controller is. Ideally, you should provide contact details as well.

4. The Right to Erasure

4. The Right to Erasure

Out of all the designated user rights, it is Article 17, the Right to Erasure, that tends to get the most attention.

Why? Because it is one of the longest of the texts and the most complicated. It is also based on an existing legal precedent.

The Right to Erasure is also known as the "right to be forgotten." Both were already legal principles in the European Union, but the legislators behind the GDPR added it for emphasis.

The Right to Erasure doesn't automatically guarantee a data owner erasure of his data. In fact, you're allowed to refuse erasure requests unless the request features one of the following characteristics:

  • You no longer need the data for processing
  • You no longer have consent from the user
  • You do not have a lawful basis for processing the data
  • You have a legal obligation to erase the requested data
  • You do not have a claim that erasure damages your legitimate interests

One of the ways to think about Right to Erasure is by looking back at all those emails you received in May 2018 requesting consent to continue to email you.

If you hold an individual's email address and they ask you to remove it from your marketing activities database, then you need to delete it.

If a user no longer wants to receive emails from you, then you (1) no longer need the data for processing, and (2) lost consent from the user to process the data.

On the other hand, if a user requests that you remove their email from your database but they still have open orders, then you can refuse if you need their email to contact them about their order. You might agree to delete it after the transaction is complete, but in the meantime, you have a legitimate legal basis for processing their data.

Because users have this right, you'll need to explain it in your Privacy Policy.

Fortune created a Privacy Policy specifically for users from the EU, EEA, Australia, and New Zealand. It covers the right to erasure in its general "rights" section:

Fortune Privacy Policy: Data Subject Requests clause

You'll notice that each right is listed here including methods for exercising those rights and lodging complaints.

The Irish Times includes a clause in its Privacy Policy that allows the company to protect itself by noting that "these rights are in some circumstances limited by data-protection legislation."

The Irish Times Privacy Policy: Excerpt of Your Data Rights clause

The note gives the site leeway to reject requests when it is lawful to do so without being liable for denying the claim, and lets users know that the rights aren't absolute but do come with some limitations in some instances.

5. The Right to Restrict Processing

5. The Right to Restrict Processing

The Right to Restrict Processing provides users with an alternative to requesting erasure of their data. Instead, it allows them to request that you refrain from processing their data. Article 18(1) provides the details:

GDPR Info: Article 18 Section 1: Right to restriction of processing

Restricting data use gives users who do not qualify for data erasure another option. They may also request it during the intermediary period when a company processes their request for their right to be forgotten.

The right to restriction sounds damaging for companies, but using it also helps you avoid violating GDPR rights. For example, if a user submits a right to rectification and you cannot comply within the next 90 days, then restricting processing is a good way to avoid processing contested data in the meantime.

Here's how Tesco, an EU-based retailer, describes users' right to the restriction of data:

Tesco GDPR Data Subject Rights: Restriction of use summary clause

Consider adding a policy that allows you to move restricted data out of your general system to make it temporarily unavailable for processing.

If you ultimately restore the data to the general database, your data controller must inform the data subject before lifting the restriction.

As with other rights, you can convey the right to restriction within your Privacy Policy. Be sure to add contact details to provide a straightforward way for EU citizens to contact you to exert this right.

6. The Right to Data Portability

6. The Right to Data Portability

Article 20 of the GDPR allows users to request a copy of their personal data from data controllers under certain circumstances.

GDPR Info: Article 20 Section 1: Right to data portability

Because Privacy Policies only describe the types of data a processor might collect, the EU considers it important that data subjects know precisely what is collected from them, specifically and individually. Additionally, it allows users to see whether the service they receive is the best available. Portability fosters competition in the digital world, which provides users even more control of their data.

Note that data portability isn't mandatory unless you use one of two legal bases for processing - consent or contract - and your processing is carried out by automated means.

To work with the right, you'll need to have a policy for recognizing and recording requests for data portability. You'll also need to understand when it is possible to refuse a request and what you must share with the data subject when you decline.

When you share data, you'll need to do so in a commonly readable format using secure methods.

7. The Right to Object

7. The Right to Object

Under Article 21, users have the right to object to the processing of their data. The right is a limited one, and users can only utilize it when the lawful basis of processing falls under (e) or (f) of Article 6(1) of the GDPR:

GDPR Info Article 6 Section 1 excerpt: Lawfulness of Processing

There's only one other time when a data subject may object - when the processor uses data for direct marketing purposes. If you use the data for marketing, then the data subject may object at any time and you must comply with the objection and cease marketing communications.

It is likely that the bulk of the right to object requests the average business receives will relate to direct marketing. Although the process sounds strange, you likely already allow users to object in your current practices. Adding an "Unsubscribe" button to marketing emails is a form of allowing customers to object.

It's a good idea to add this clause to your Privacy Policy, particularly if you process data for direct marketing.

Waitrose - a UK retailer - adds the right to object both directly and indirectly to its Privacy Notice. The most pertinent section refers to direct marketing practices:

Waitrose Privacy Notice: How can you stop the use of your personal information for direct marketing clause

It also adds the word "object" under several clauses in the section "What are your rights over your personal data?" as seen here:

Waitrose Privacy Notice: What are your rights over your personal data clause excerpt

Make it clear that your users have rights to unsubscribe, opt out and revoke consent.

8. The Right to Avoid Automated Decision-Making

8. The Right to Avoid Automated Decision-Making

The final user right appears in Article 22.

It says that the data subject can object to decisions made on automated processing or profiling that produce legal effects or other significant effects.

Puzzled? You're not alone. The guideline is a confusing one, and it may not apply to your business.

First, you need to understand what the GDPR means by profiling. It includes three parts: automated processing, personal data, aim of evaluating personal aspects. The processing does not need to infer anything. It only needs to process data in this way.

What might profiling look like? It happens when a bank uses a software application to weigh an applicant's credit score prior to approving a mortgage loan.

The GDPR doesn't say profiling is no longer allowed. However, it does allow data subjects to appeal to receive a process that includes human involvement. The involvement of a person in a decision cannot be a token gesture. They need to do more than hit a button. It must be a meaningful way for a data subject to challenge automated decisions.

To comply with the GDPR, you'll need to:

  • Audit any activities that feature automated-decision making or profiling
  • Have a process in place to allow users to exercise their right to human intervention
  • Share changes in the policy throughout your organization
  • Document all changes and processes to provide evidence of compliance

Don't forget to share the option to challenge automated-decision making in your Privacy Policy and include any practices you use that fall under this category.

The Irish Blood Transfusion Service includes a reference to this in its Privacy Policy:

Irish Blood Transfusion Service Privacy Policy: GDPR User Rights: Objecting to automated decision making and profiling clause

Although the organization does not use wholly-automated decision making, it still expresses the right to users.

Summary

The GDPR affords users eight rights under the law. Some of these rights pre-date the legislation and serve as existing legal principles, and others existed as common sense data practices.

However, this is the first time each is codified under one sweeping piece of legislation.

How will your organization remain compliant and avoid the huge fines associated with GDPR violations? Start by following these steps:

  • Use your Privacy Policy to inform users of their eight rights
  • Provide contact details to make exercising their rights simple
  • Respond to user requests within the timeframe laid out in your Privacy Policy
  • Verify user IDs when necessary to confirm the identity behind the request

And remember: Not every right will apply to every data subject and every business in every instance. Make sure to familiarize yourself with the requirements of each right and whether or not you need to facilitate your users exerting each one.