Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Lecture 2 data subject rights


Published on

data subject rights

Published in: Education
  • Be the first to comment

  • Be the first to like this

Lecture 2 data subject rights

  1. 1. A quick recap of Lecture 1 • The GDPR comes into full force May 25, 2018 • Underlying principle: Protection of personal data is a fundamental right • Individual data subjects have fundamental rights • Organizations that handle personal data are responsible to provide for data subjects’ rights • Several key changes will affect business practices
  2. 2. Lecture 2 Data Subject Rights Individual Rights Under the EU Regulation
  3. 3. In this lecture, you will learn: 1. What data protection rights do individual have? 2. What are exceptional contexts for data processing? 3. What are Pseudonymization and Anonymization?
  4. 4. But first, what is a “Data Subject”? The term is found within the definition of “Personal data” in Art. 4(1): • "Personal data" means any information relating to an identified or identifiable natural person ("data subject")
  5. 5. Data Subject Rights • The EU’s new data protection regulation protects individuals’ right to control over their personal data: • Notification at the time of consent • Notification from data recipients • Access • Rectification • Erasure/right to be forgotten • Restriction of processing • Data portability • Right to object • Protection from profiling
  6. 6. Notification at the Time of Consent • All of the following information must be provided: • Identity and contact details of the controller and data protection officer • Purposes of data processing and legal basis of processing • Identity of data recipients or categories of data recipients • Whether the data will be transferred outside the EU, and protections in place
  7. 7. Notification at the Time of Consent (cont’d) • How long the data will be stored • Rights to access, rectification, objection to processing, erasure or restriction of processing, and data portability • The right to withdraw consent at any time • The right to complain to a supervisory authority
  8. 8. • Whether providing personal information is a statutory or contractual requirement, or necessary to enter into a contract; whether the data subject is obliged to provide personal data and the possible consequences if they do not • Whether automated or semi-automated profiling of data subjects will be used to make decisions affecting them; if so, a description of the logic of the profiling and its likely consequences for the data subject Notification at the Time of Consent (cont’d)
  9. 9. Notification from Data Recipients • Recipients of personal data need to notify data subjects within one month, at the time they first contact the data subject, or at the time they first disclose the personal data • Provide same data as required for notification at the time of consent, plus: • The categories of personal data concerned • The source of the personal data, and if it came from publicly accessible sources • Not required if the data subject already has the information
  10. 10. Right of Access • Data subjects have a right to know whether their personal data is being processed, and to access their personal data and information about how their data is processed
  11. 11. Right to Rectification • Data subjects have a right to rectify incorrect or incomplete personal information
  12. 12. Right to Erasure/Right to Be Forgotten • Data subjects have the right to request that their personal data be erased: • where it is no longer necessary for the original purposes • where the data subject withdraws consent or objects to the processing • Where the data controller has made the data public, the service provider must also take reasonable steps to request the erasure of copies or links to the data
  13. 13. Right to Restriction of Processing • Data subjects have a right to request the restriction of processing of their personal data: • Where the accuracy of the data is contested (until the service provider can verify the data) • Where the service provider no longer needs the data but the data subject needs them for legal purposes • Where the data subject has objected to the processing
  14. 14. Right to Data Portability • Data subjects have the right: • To receive their personal data in an accessible format • To send it to another service provider • Where technically feasible, to have it sent directly to another service provider
  15. 15. Right to Object • Data subjects have a right to object to processing of their personal data without their consent, and to have processing stopped • Data subjects have the right to object to processing for direct marketing purposes and to have this processing stopped at any time
  16. 16. Protection from Profiling • Data subjects have a right not to be subject to significant decisions affecting them based solely on automated profiling • Exceptions: • Profiling is necessary to enter into or perform a contract between a data subject and service provider • Data subject has given explicit consent
  17. 17. Exercise of Data Subject Rights • Controller must take action on requests within one month; may be extended by two months taking into account the complexity or number of requests • If extended, controller must provide notice and reasons for delay • When the request is made via electronic form, information will be provided in electronic form where possible, unless data subject requests otherwise
  18. 18. Exercise of Data Subject Rights • When requests are denied, controller must provide notice within one month and reasons for denial, as well as the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy • Responses to requests will be free of charge, except where requests are manifestly unfounded or excessive, in which case a reasonable fee reflecting administrative costs may be charged, or the request may be denied
  19. 19. Exceptional Contexts • The Regulation names several contexts in which restrictions on data processing may differ, including: • Freedom of expression and information (EU member state laws may provide exemptions from data protection requirements) • Employment (EU member states may pass additional laws) • Archiving and research (anonymization and pseudonymization are encouraged)
  20. 20. What is pseudonymization? • Separating personal data that could identify an individual from that which could not • E.g., performance of investment portfolios (non-identifiable) vs. customer transaction records (identifiable) • Identifiable personal data should be protected by stronger safeguards, and available to only those staff that need it • Pseudonymization is a data protection measure strongly recommended by the Regulation
  21. 21. What is anonymization? • To alter personal data such that it can no longer be traced to a specific individual • Aggregate data • Eliminating unique identifiers and unique profiles • When data is effectively anonymized, it is no longer considered personal data and is no longer protected by the Regulation
  22. 22. Reflection Questions: Data Subject Rights • Do we provide data subjects with all of the required information at the time of consent? • Do data subjects know that we receive their data from other organizations? • Do we have procedures for individual access to data, rectification, erasure, and restriction of processing? • Are we able to provide data subjects with a copy of their data, or transfer it to other service providers? • Do we use automated profiling only with explicit consent or based on a contract?