The Regulation aims to strengthen the rights of individuals. It does so by retaining rights that already exist under the Data Protection Directive and introducing the new rights of data portability, the right to be forgotten, and certain rights in relation to profiling. In this chapter we look at each of these rights in turn and assess the likely practical impact that the changes brought about by the Regulation will have on organisations.
Clearer information provision
Consumer groups often complain that information notices are too long and difficult for consumers to understand. This issue has become more significant as personal data is now collected in a variety of different situations (for example through mobile devices and the internet of things), where the nature of data collection and processing is less obvious. The Regulation requires controllers to tell individuals how their information will be used in clear and plain language, adapted to the individual data subject. For example, if information is being collected from a child, the language of the notice must be such that a child can understand it.
The information notice must contain the following:
- The identity and contact details of the controller; any representative of the controller; the data protection officer; and any recipients, or categories of recipients of the personal data
- The purposes of the processing including the key contractual terms if the processing is based on a contract between the controller and the individual, or whether the processing is based on legitimate interests
- The period for which the personal data will be stored
- The nature of the rights of available under the law, including the contact details of the relevant supervisory authority
- Where applicable, if the personal data is to be transferred to a third country, the level of protection afforded by that third country by reference to an adequacy decision
- Sources of the personal data
- Any further information to ensure that the processing of the personal data is fair. In addition, where information is collected directly from a data subject the controller must also tell the data subject whether the provision of personal data is obligatory or voluntary, as well as the possible consequences of failing to provide such data.
The right of subject access
The right of subject access permits individuals to request the personal data that is being processed by the controller. The Regulation makes some additions to the detailed information to be provided in response to a request, and also makes some procedural changes:
- Controllers must put in place a process for dealing with requests
- Where a request is made in electronic form, the information must be provided in electronic form, unless the data subject requests otherwise
- Controllers may no longer charge a fee unless the request is ‘manifestly excessive’, for example where it is repetitive in character. The onus is on the controller to demonstrate the manifestly excessive character of the request
- The controller must provide the requested information within one month of receipt of the request. This is less time than allowed by some Member States at There is potential for an extension period, but
- it only applies in very limited circumstances.
The right to rectification
The Regulation retains the right to obtain from the controller rectification of personal data which are inaccurate and to obtain completion of incomplete personal data, including by way of supplementing a corrective statement with very little change.
The right to object
The Regulation broadens the current right to object to data processing. In particular, a data subject is always entitled to object to processing carried out on the basis of a legitimate interest of the controller or for the purposes of direct marketing without the need of indicating specific justifications.
The right to be forgotten and to erasure
The Regulation gives data subjects the right to have their personal data erased, provided that certain conditions are met. In particular, the data must be erased when:
- it is no longer needed for its original purpose
- the data subject withdraws consent and there is no other legitimate basis for the processing
- the data subject objects to the processing
- a court order rules that the data must be erased
- the processing is unlawful.
This right to be forgotten was one of the most controversial aspects of the Regulation when it was first published, not least because the practical limits on a controller’s obligation to delete data were unclear. Following the decision in Google v Costeja, the right to have data erased no longer represents such a dramatic change, but it remains to be seen what the extent of the obligation will be as the Council draft proposes a number of limits.
The right to data portability
The Commission Draft gives individuals the right to have a copy of their personal data in a commonly used electronic and structured format that allows for further use, including by other data controllers. This right raises both practical and commercial issues for most controllers, and the Council draft proposes the right shall apply only to data that was provided by the data subject to the data controller.
Profiling is discussed in more detail elsewhere in this publication. Briefly, under the Regulation the data subject will have the right not to be subject to a decision entailing the evaluation of personal aspects relating to him based solely on automated processing and having direct legal effects on (or affecting) him. In general such profiling will require explicit consent from the individual, although there are some exemptions.
Likely practical impact
The accountability approach built into the Regulation means that organisations must be able to demonstrate that they have procedures in place for dealing with their obligations to data subjects. In addition to creating such processes, organisations will need to review their existing information notices to assess whether they contain all necessary information, and whether this information is easily understood. Some organisations may already be operating to a higher standard in some countries because of provisions under their local law. An advantage of the Regulation, therefore, is that controllers will be able to have identical notices across Member States.
The new rights to erasure and data portability will almost certainly require IT system changes. The detail of these changes is not settled yet, but given project lead times organisations may need to start alerting their IT teams to the forthcoming need for these changes.
What to do now
- Review current information notices to ensure that they are accurate, comprehensive, and up to date. Consider whether any additional information will be required under the Regulation, and whether the language is sufficiently clear for the target audience.
- Consider whether you need to create procedures for handling requests from data subjects to exercise their rights.
- Identify your current profiling activities and assess whether they meet the requirements or the Regulation.
- Consider how to implement appropriate consent request mechanisms for profiling.
This entry is an excerpt from Hogan Lovells’ “Future-proofing privacy: A guide to preparing for the EU Data Protection Regulation.” To access the full guide, click here.