Rights of Data Subjects
The rights of the data subjects constitute the first pendant of the the legislation on the protection of personal data, followed by the supervisory authority powers, administrative and judicial protection and the sanction system.
Regulation 2016/679 transposes the overall system of Directive 95/46/EC on the rights granted to data subjects.
The subjects to which the information refers (the so-called “data subjects”) see the basket of their rights expanded: in addition to those already known of access, integration, rectification, restriction, new rights are also added. These are the right to be forgotten and the portability right.
Violation of any of the rights of data subjects is sanctioned with administrative fines of «up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher» (Article 83.5).
Access Right
Regulation 2016/679 refers to access as a general right of the data subject to acquire information: not only to be informed about the personal data concerning him, subject to processing by the Controller, but also to obtain (upon request) additional information for a correct and complete transparency regarding the same processing (Article 15).
If, therefore, the notice can be considered as the effect of the right of the data subject to be informed, access is the manifestation of his right to inquire about the following profiles, in fact corresponding to the contents of the notice:
• the purpose of the processing;
• the categories of processed personal data;
• recipients or categories of recipients to whom personal data are communicated;
• the retention period for the personal data or, if not possible, the criteria used to determine it;
• the existence of the right to request the rectification or deletion of the data concerning him or the limitation of the processing or to object to their processing;
• the right to lodge a complaint with the supervisory authority;
• the source of the acquisition, if the data is not collected directly from the data subject;
• the existence of automated decision-making processes, including profiling and significant information on the logic used, as well as the importance and consequences for the data subject;
in case of transfer of data beyond EU territories, the existence of adequate security measures.
Right to Rectification
The right to rectification is contained in Section 3 of the GDPR. The related article is Art. 16 and it reads as follows:
“The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.”
This right requires the adoption of appropriate measures for the rectification of the personal data of the data subject, with the obligation to inform, where possible, any third party to which the data has been transmitted. It is therefore evident how important the control of the supply chain is, together with an appropriate census of all existing transfers of personal data to third parties.
Right to Erasure
The data subject shall have the right to obtain from the Controller the erasure of his/her personal data in the following cases:
• when it is no longer needed in relation to the purpose of collection [art. 17.1, a)]
• when the consent has been withdrawn [art. 17.1, b)]
• when the data subject objects to the processing [art. 17.1, c)]
• when the data are unlawfully processed [art. 17.1, d)]
• when the erasure derives from a legal obligation [art. 17.1, e)]
• when the data was collected for the provision of an information society service in favor of a minor and with his consent [art. 17.1, f)].
Right to be Forgotten
The right to erase personal data on the internet (right to be forgotten) is conceived as a declination of the general right of erasure (Article 17.2).
The GDPR provides that if the data controller has «made the personal data public and is obliged (…) to erase the personal data», in accordance with the provisions of Article 17.1, he must «inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data».
This obligation must be executed "taking account of available technology and the cost of implementation” and adopting “reasonable steps, including technical measures".
Right to be Forgotten: History
The right to be forgotten had already caused a stir during the validity of Directive 95/46/EC because it was recognized as already existing by the ECJ in the well-known Google case. A prerogative, this, which especially concerns the internet user in order to counter the phenomenon of fossilization of information in the web timeless space.
The ECJ has found it unlawful that events that have long since passed can continue to be offered to the internet reader as news of the day, even though they are decontestualized and no longer topical; Regulation 2016/679 now provides precise regulatory support without the need for interpretative reconstructions through the provision contained in art. 17.
Right to Restriction of Processing
In some circumstances, the data subject has the right to obtain a restriction of the processing (Article 18).
The cases of exercise of the right to restriction of processing are when one of the following applies:
• the data subject contests the accuracy of the personal data, for the period required to verify the data accuracy [art. 18.1, a)];
• the processing is unlawful and the data subject opposes the erasure and asks for restriction as an alternative [art. 18.1, b)];
• with the processing ceased, the data subject needs the data to exercise his/her own right to trial [art. 18.1, c)];
• the data subject has objected the processing for legitimate reasons, pending the necessary verifications [art. 18.1, d)].
Portability Right
Of particular importance is the new right to portability (Article 20) which gives the data subject the power to obtain his/her personal data from the Controller in an “open” format, easily usable on the most widely used platforms: another “bridge” launched between the world of data protection and the increasingly contiguous one of the competition.
Where the legal basis of the processing is given by the consent or execution of a contract and the processing is carried out by automated means, the right to portability includes the right of the data subject to obtain the direct transmission of his personal data from one Controller to the other, if technically feasible (Article 20.2).
Free Exercise of Rights
The exercise of all data protection rights is normally free, both for the information provided and for the actions taken (Article 12.5).
Exception is the case where «requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character», in which case the Controller may charge a reasonable fee on the administrative costs incurred or refuse to process the request. In such a case, the burden of proof of the manifestly disproportionate nature of the claim is on the Controller.
If, in general, the Controller refuses to comply with the requests of the data subject, he must inform him of the reasons and the possibility for the data subject to file a complaint with the National Supervisory Authority and to apply to the ordinary judicial authority (Article 12.4) .
Right to Object
Where the processing is necessary for the execution of a public interest task or for the pursuit of a legitimate interest of the data controller or a third party, the data subject has the right to object to the processing of his/her personal data in the presence of legitimate reasons related to his/her particular circumstances.
As already provided in Directive 95/46/EC, the objection to the use of personal data for direct marketing purposes is fully discretionary (Article 21.2).