Basic rights regarding personal data under the GDPR
With the entry into force of the EU General Data Protection Regulation (GDPR) on 25 May 2018, EU citizens and certain other individuals are entitled to 8 basic rights in relation to their personal data under the GDPR. This regulation introduced significant changes to the legal framework for personal information for all organizations in relation to EU citizens. These 8 rights related to personal data are:
- The right to be informed - Organizations must be fully transparent in how they use an individual's personal data. The data receiver - the data processor - must notify the individual before the data is collected about the reason for the collection of personal information during the data collection.
- The right of access - Data subjects have the right to know exactly what information is contained about them, how it is processed, stored, what data exists and for what purposes. This requires data collectors to keep track of all information and requests for that information.
- The right to rectification - Individuals can correct personal data if it is inaccurate or incomplete. This right to data correction also applies to all users and partners of the collecting organization.
- The right to erasure - also known as the "right to be forgotten" allows an individual to request the erasure or removal of their personal data without needing a specific reason why they want their personal data to be permanently deleted. This also includes record retention policies for when data is permanently deleted.
- Right to restriction of processing – Data subjects have the right to block or terminate the processing of their personal data. EU citizens can indicate that they do not allow their personal information to be used for specific purposes.
- Right to data portability - Data subjects have the right to retain and reuse their personal data for their own purposes. Therefore, an individual has the right to move, copy or transfer his personal data from one organization (data controller) to another.
- Right to object - In certain circumstances, individuals have the right to object to the use of their personal data for certain purposes. This includes the use of personal data for marketing, scientific and historical research or to carry out a task in the public interest. Individuals have the right to object to being subject to public authorities or organizations processing their data without express consent.
- Rights to Automated Decision-making and Profiling - GDPR ensures that there are special safeguards that give people the right to determine for themselves when, how and what kind of information they want to communicate to others. In this sense, EU law guarantees citizens the right not to be subject to automated decision-making that may lead to legal consequences for them. Therefore, the individual has the right to require human intervention in all decision-making activities regarding their information.
These areas of control are within the remit of individual citizens and the Data Protection Officers (DPOs) of the various organizations and nations where the GDPR has legal effect.
The regional scope of the regulation is broad, as the rules apply not only to organizations that have an establishment in the EU but also to organizations that are not established in the EU, provided that they provide services or offer goods to persons in the EU or monitor the conduct of persons in the EU. This means that all non-EU organizations offering services or goods to individuals in the EU, or those individuals who are profiled in the EU, are subject to the GDPR.
If you need a GDPR Audit, Consultation, TIA or Training, please contact us to offer you a customized solution.