GDPR: BALANCING BETWEEN DATA SUBJECT RIGHTS AND LEGITIMATE GROUNDS OF PROCESSING
GDPR: Economy and social life have rapidly changed upon the rapid, immense and continuously evolving global technological developments that our societies have experienced in the past few decades.
Along with benefits emanating from these technological advancements, some problems surfaced making the need of their regulation imperative. This challenge of our constantly advancing world comes in the form of the sensitive issue of how globalization and technology affects personal data. The gathering and sharing of personal data come at an unprecedented scale as natural persons increasingly, and at the same time carelessly, make their personal information available publicly online on various global platforms. On the same note, private companies and public authorities make a – sometimes uncontrollable and reckless – use of such personal data in pursuit of their enterprises.
It became apparent that these developments should be counteracted with a strong and coherent framework within the Union and backed by strong enforcement. Exercising control over these advancements would be instrumental in fostering the trust that would allow the digital economy to develop across the internal market. Furthermore, it would enhance legal and practical certainty for the benefit for natural persons, economic operators and public authorities. The need for a new legal instrument to govern the rapidly advancing technologies and facilitating the flow of personal data became of outmost importance.
The General Data Protection Regulation (GDPR) was enacted on the 25th of May 2018 with the aim to deal with all the abovementioned issues and applies to every country of the European Economic Area (EEA). Through it, the EU aimed to set up the parameters of how the data of its data subjects is to be treated and ultimately protected. The importance of the protection of personal data is further demonstrated by the fact that it is already established as a fundamental right under Article 8 of the Charter of Fundamental Rights of the European Union and Article 16 of the Treaty on the Functioning of the European Union.
The GDPR offers protection to all individuals who are considered as 'data subjects', a broad term that encompasses any identified or identifiable natural person. More precisely, an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifiably quality such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. All these indicative characteristics are considered as ‘personal data’.
Therefore, every EEA citizen is deemed as a data subject and already enjoys the benefits under the GDPR. In order to help you navigate within the extensive legal framework of the GDPR, this article aims to briefly explain your rights as a data subject and at the same time explain on what instances organizations and public authorities are eligible of processing of your personal data without your approval.
Data Subject Rights:
As a Data Subject, you are empowered with the following 7 rights:
- the right of access;
- the right to rectification;
- the right to erasure;
- the right to the restriction of processing;
- rights concerning automated processing and profiling;
- the right to data portability; and
- the right to object.
1.The right of access
This is ultimately your most important right as it enables you to request an entity that is in control of your data (a “Data Controller”) to provide you with a detailed record of all the information they have on you, how this information is stored, who it is shared with, the method by which it was collected and to justify the purpose for which it is currently being processed and stored for. Verification of the lawfulness of the process of your personal data is vital. Furthermore, the GDPR imposes strict and elaborated rules on the manner in which a Data Controller must deliver the requested information, and according to Article 12 of the GDPR this must be in a “concise, transparent, intelligible and easily accessible form”.
2. The right to rectification
This right grants you the power to request an entity which controls your data to modify any incorrect, inaccurate or incomplete information within a reasonable timeframe. More specifically, the controller is obligated to rectify the personal data without undue delay, not exceeding one month from the receipt of the request in question.
3. The right to erasure
Or sometimes known in the press as the “right to be forgotten”, it is considered as one of the basic rights of the European data protection legislation. This means that you have the right to request for your personal data to be erased-deleted if there is no compelling reason with the continuance of its processing. This right can be exercised in cases where your data is continued to being processed or stored despite no longer fulfilling the purpose for which it was originally collected for. Alternatively, it can be applied in cases where your consent has been withdrawn or serving under an unlawful processing. Controllers, must respond without undue delay.
4.The right to restrict processing
This right enables you to request from an organization to stop processing your data if you believe it to be incorrect, until it has been verified. During this process the organization has the right to continue storing your data.
5. Rights concerning automated processing and profiling
This right is aimed to reflect the issues arising from modern digital developments and direct marketing systems. In this regard, profiling can be related to any kind of decision-making that occurs automatically and thus bypasses human intervention. You have the right not to be subject to a decision based solely on automated processing, which may include profiling, which produces effects of significant legal nature. As a data subject, you are not required to take active steps in order to exercise the right as it exists ipso facto. Additionally, the data subject shall be given the opportunity to exercise this right at any time and free of charge.
6. Right to data portability
The main aim of this right is to empower data subjects to move, copy or transmit personal data easily from one Data Controller to another. Moreover, the right facilitates switching from one service provider to another, thus enhancing competition between services (by making it easier for individuals to switch between different suppliers). In more practical terms, this right enables individuals to request copies of their data transmitted to another controller. The scope of this right, though, is limited to the personal data concerning the individual and which the individual has provided to a controller. This includes pseudonymized data only if it can be clearly linked to a data subject. The right to data portability does not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
7. The right to object
A controller must have a lawful basis for processing personal data. Where that lawful basis is either ‘public interest’ of ‘legitimate interests’, data subjects may have the right to object to such processing. This includes profiling, as well as processing of your data for purposes related to marketing, statistical, scientific, or historical research. The GDPR requires the organization to demonstrate that it either has compelling grounds for continuing the processing, or that the processing is necessary in connection with its legal rights. If it cannot demonstrate that one of these apply, it must cease that processing activity immediately. The objection to processing does not make the processing before the request illegal, however, the controller shall no longer process the data, provided that there are no more legitimate grounds for processing.
The Data Controller must at all times balance the fundamental rights of the data subjects with the purposes of the processing.
When the data subject feels that his/her personal data has been processed in a way that does not meet the GDPR, he/she has a specific right to lodge a complaint with the Supervisory Authority of his/her country. The said Authority in Cyprus is the Information Commissioner’s Office and can be contacted through here: http://www.dataprotection.gov.cy/dataprotection/dataprotection.nsf/contact_en/contact_en?opendocument
Moreover, in case the controller intends to transfer personal data to a third country or international organization outside the EEA, the below details shall always be provided to the data subject:
- The period for which the personal data will be stored;
- The existence of the right to request from the controller access, erasure, restriction or objection to processing as well as the right to data portability;
- Where the processing is based on consent, the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal; and
- The right to lodge a complaint with a supervisory authority.
Legitimate Grounds for Processing/Legal Bases:
It is important to emphasize that these rights are not absolute and there are specific grounds under which a controller can continue legitimately the processing of personal data. This may only be allowed where it is lawful and to the extent that at least one of the following legal bases for processing, applies.
Organizations may need to continue processing data to meet other legal and regulatory obligations and, in those instances, regardless of your disagreement, you may not have the right to legally object to it. In these situations, your right to erasure and to object to processing are automatically impacted, as they cannot be exercised at all. Not to mention that the right to erasure is not available to data subjects in case where such erasure could cause, third parties or the controller itself, any harm. Furthermore, in order to exercise the right to rectification the burden of proof, to demonstrate that the data processed is inaccurate, falls on the data subject’s shoulders.
Whilst the GDPR primarily aims to enshrine the rights of data subjects, it also provides clear guidelines on how organizations shall conduct their operations to ensure new levels of data protection. Article 6 of the GDPR outlines the lawfulness of processing providing six distinct legal bases to controllers which they can rely upon, as to lawfully process personal data.
1. Consent
In order to rely on consent, an organization must make sure that the individual’s approval is given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of his/her agreement with the processing. Consent is always given in a freely-given manner, for it to be informed and unambiguous regarding the specific processing activity and to enable the individual to withdraw or refuse it at any time. This route of justification is usually suitable to validate the processing of personal data for marketing purposes.
2. Performance of a Contract
Another common justification is that processing is necessary for the performance of a contract to which the data subject is party. Utmost account shall be taken of whether, inter alia, the data processed is directly applicable and related to the contract in question. In other words, organizations cannot coerce individuals into giving consent for additional data processing beyond what is needed for performing the contract. Yet processing in pre-contractual relationship is legitimate as long as it is in order to take steps at the request of the data subject prior to entering into a contract.
3. Legitimate Interests
The processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party. The requirement that no interests or freedoms of the data subject are infringed (especially where the data subject is a child) through this processing negates the abuse of this basis by an organization.
4. Legal Obligations
The processing of personal data as part of organizations’ compliance with their legal and regulatory obligations under EU or Member State law constitutes lawful processing of personal data.
5. Public Interest
The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. Notably, the permission to carry-out processing data is officially accredited to the controller and the data subject’s right to object is undermined. However, the GDPR counterbalances the latter by stating that processing of this kind must be of absolute necessity and that no alternative route exists in each particular situation.
6. Vital Interests
Lastly, an organization is enabled to process personal data without the direct consent of an individual in situations where it is necessary to do so in order to protect the vital interests of the data subject or of another natural person. Once again, this basis must be relied upon only when it is absolutely necessary and is inapplicable when a subject is in condition to offer valid consent. This basis is to be used predominantly for emergency medical care or in large-scale disasters.
The first two legal bases, that of consent and performance of a contractual relationship, indicate the overriding importance of the rights of individuals. The remaining four bases indicate that the rights of data subjects and their autonomy over their personal data can be overridden in few and specific situations. Any limitations, however, are counterbalanced by the fact that there should always be an absolute necessity.
All aforementioned legal bases go hand-in-hand with the principle of minimization under which organizations are able to demonstrate that they have appropriate processes to ensure that they only collect and hold adequate, relevant and limited data to what is necessary in relation to the purposes for which they are processed.
How we can help:
The landscape of the GDPR is of complex nature with nuances and specified legal terminology. Pelecanos & Pelecanou Law Firm, with extensive legal expertise, can assist you in exercising your rights successfully under the GDPR. For more information, please feel free to contact us: info@pelecanoslaw.com.
