The privacy regulation (Regulation (EU) 2016/679) will be soon directly applicable on the entire European territory. Companies, public administrations and private citizens are in the final rush to comply with the dispositions of the new legislation. In order to make it easier to understand a complex and articulated text such as the GDPR, we propose hereinafter a collection of simple factsheets, structured with a Q&A formula, that starting from known privacy concepts, give a first and brief guidance to the reading of the new legislation.
What are the rights of the data subject?
The data subject, namely the natural person whose personal data are processed, has a number of rights, which he/she can exercise with the data controller at any time and which allow him/her to keep control of the data provided and their use.
These rights, many of which were already provided for by the Italian privacy Code, are for instance: the right of access (which gives data subjects the right to obtain confirmation of whether the controller is processing their personal data), the right of rectification (on the basis of which data subjects are entitled to require a controller to rectify any errors in their personal data without undue delay); the right to object to processing (on the basis of which data subjects have the right to object to continued data processing under specific circumstances).
What changes with the GDPR?
The GDPR expands the list of rights by adding to it: the right to erasure (the right to be forgotten); the right to restriction of processing and the right to data portability.
From the data controller’s point of view, he/she remains responsible for facilitating data subjects’ exercise of their rights (by adopting all appropriate technical and organisational measures) and for answering their requests (with the possible collaboration of the data processor).
In particular, for all rights the GDPR sets the deadline for answering data subjects’ requests at one month, which can be extended up to 3 months, in consideration of the complexity and number of requests submitted. At any rate, the data controller must also give a written answer to the data subject in cases of denial within one month of the request. The answer, usually given in written form, must be concise, transparent and written in plain and clear language.
What is the right to erasure (the right to be forgotten)?
The right to be forgotten states that data subjects have the right to require data controllers to erase the personal data they hold.
However, the right to be forgotten cannot be exercised in every circumstance, but only when one of the specific conditions listed in art. 17 of the GDPR occurs. The conditions are those in which:
1) the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
2) the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing
3) he/she objects to the processing and there are no overriding legitimate grounds for the processing
4) the personal data have been unlawfully processed;
5) the personal data have to be erased for compliance with a legal obligation (in Union or Member State law to which the controller is subject);
6) the personal data have been collected in relation to the offer of information society services, when the data subject was still a child (therefore he/she was not fully aware of the risks deriving from the processing of his/her data).
In addition, with the obligation to comply with the data subject’s request for erasure, in one of the above mentioned situations, the data controller must fulfil another obligation. In digital environments, the circulation and spread of information have a significantly wider scope compared to their circulation in the physical world. For this reason the GDPR has provided that where the controller has made the personal data public (e.g. on a website), he/she shall (take reasonable steps to) inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
The only limits to the right to be forgotten are considered in cases where the right of the data subject to obtain the erasure of his/her personal data are overridden by higher interests. For instance to the extent that data processing is necessary for exercising the right of freedom of expression and information or for compliance with a legal obligation, or it is necessary for the performance of a task carried out in the public interest. The right to be forgotten may also be denied in cases where the storage of data is necessary for the establishment, exercise or defence of legal claims.
What is the right to restriction of processing?
The exercise by the data subject of this right, in fact allows him/her to “restrict” the processing of his/her data in some situations and provides him/her with an alternative to requiring data to be erased, namely, the data subject requests the temporary suspension of processing.
The right to obtain a restriction of processing can be exercised when:
1) the data subject disputes the accuracy of his/her personal data and so requests restriction of their utilisation for a period in which the data controller will be able to verify their accuracy;
2) the processing is unlawful, but the data subject objects to erasure of the personal data and requests restriction of their use instead;
3) the controller no longer has need for the personal data for the purposes of processing, but the data subject requires them to establish, exercise or defend legal claims;
4) the data subject has objected to processing and the restriction of processing is implemented pending verification of whether the legitimate grounds of the controller override those of the data subject.
What is the right to data portability?
The right to data portability is a right with a double content. Firstly, it consists in the right of the data subject to receive the data in a structured, commonly used and machine-readable form. There is no express indication of the type of format to be used, but it is evident that the objective is that of assuring that the data are provided in an “interoperable” format, which allows easy re-use across a variety of devices and services.
In addition, the right to data portability represents the right to transmit (but also to obtain the direct transmission of) those data to another data controller (“when technically feasible”), without the “original” controller being able to hinder this. In other words data controllers must provide the conditions for data subjects to be able to easily and without hindrance transfer their personal data from one IT system to another.
The right to data portability cannot be exercised unconditionally either, but only when the personal data fulfil a number of conditions. In particular they must be:
1) personal data provided to a controller clearly referring to the data subject (obviously anonymous data are excluded);
2) processed based on the data subject’s previous consent or for the performance of a contract, to which the data subject is party;
3) processed by automated means;
4) provided to a controller by the data subject. This condition needs to be interpreted broadly, so that the right is not limited to the data knowingly and actively provided by the data subject (e.g. data collected from a subscription form), but also covers data provided by the use of a service or device (e.g. location data, traffic data or the data subject’s search history).
It is vital to point out that, in contrast, the right to data portability cannot be exercised on so-called derived or inferred data, namely the product of analysis carried out by the data controller based on the data provided by the data subject. These are data “created” by the data controller, which he/she keeps (e.g. the outcome of a data subject’s health assessment or a profile created in the context of risk management (e.g. to assign a credit score) or of complying with anti-money laundering (or other financial crime) legislation.