Rights of the data subject (citizen) under the GDPR

The GDPR protects and defines the rights that the data subject (citizen) has. What are these rights? There are a number of them. Let's take a closer look at them.


Right of access
Gives EU citizens the opportunity to check the lawfulness of the processing of their data. It is an almost absolute right, except where the processing is related to the interests and preservation of national and public security, defence and in legal proceedings.

Every citizen will therefore have the right to know and be informed of the purposes of processing, the recipients to whom personal data have been or will be disclosed, the period for which personal data will be stored.

In layman's terms: As a data subject, you should be able to know what the purposes of the processing of your personal data are, who will handle your personal data and why, for how long and where the data will be stored.

Right to rectification
If you subjectively or objectively suspect that your stored data is incorrect, we may ask the company to correct it. Taking into account the purposes of the processing, the data subject has the right to have incomplete personal data completed, including by providing an additional declaration. The controller should ensure that the conditions are in place for requests for rectification to be made online, in particular in the case of processing of personal data by electronic means.

In layman's terms: If you feel that your stored data is incorrect, erroneous or incomplete, you must be able to reflect this doubt, ideally electronically, and the processor is obliged to check and, if necessary, correct it.

Right to erasure(in some cases where required by law, for example the Accountancy Act requires the archiving of personal data for 10 years, you do not have to erase the data on request). This is a completely new right that obliges the data controller to erase the personal data of the data subject, i.e. the citizen to whom the data belongs, without undue delay.

You must delete the data if:

  • The personal data are no longer necessary for the purpose for which they were collected or processed.
  • The citizen withdraws consent where the processing is based on consent and there is no other legal basis for the processing.
  • The personal data have been unlawfully processed.
  • Unless parental consent is given for the processing of personal data of children.
  • A legal obligation imposed by Union law or by a Member State.

In simple terms:When the purpose of storing personal data has been completed and if the law does not require its further storage, the processor must erase the personal data. The processor must do the same if the data subject requests it to do so or withdraws consent to processing, etc.

Right to be forgotten extends the right to erasure. If the data subject requests it, you are obliged to take reasonable steps to erase any personal data, references to it, copies of it, etc. However, there are a number of exceptions.
In order for the controller to be obliged to erase personal data, at least one of the following conditions must be met:

  • the personal data are no longer necessary for the purposes for which they were collected or otherwise processed,
  • the data subject withdraws consent and there is no further legal basis for the processing,
  • the data subject objects to the processing and there are no overriding legitimate grounds for the processing,
  • the personal data have been unlawfully processed,
  • the personal data must be erased to comply with a legal obligation,
  • personal data have been collected in connection with the offer of information society services pursuant to Article 8(1) of the General Regulation.

In layman's terms:Not only must you delete personal data if at least one of the above conditions is met, but you must also delete all backups, copies. Simply ensure that there is no source of data belonging to the applicant (except where required by law). As if it never existed for your company.

Right to portability - is essentially an extended right of access and can be exercised subject to two conditions that must occur simultaneously: 1. the processing is based on the citizen's consent or a contract, and 2. it is carried out by automated means.

In the case of automated processing of personal data based on consent or a contract, the person has the right to so-called portability of the data. This consists in the obligation of the controller to transmit to the data subject all the information processed about him or her in a structured, commonly used, machine-readable format. By exercising this right, the person gains greater control over his or her personal data and is also able to transmit it in the form thus obtained to another controller.

In layman's terms:If a data subject wants you to supply them with an extract of all their personal data that you handle and collect, you must, provided that you process it lawfully and automatically, supply it to them in a structured, machine-readable format. The subject is thus free to pass it on to another processor, however competitive.

Right to object to processing means that if a particular person will not be able to exercise the right to erasure, then the GDPR allows him or her to at least exercise the right to object and thereby force the company to restrict the processing of those data that are the subject of the objection. The possibility to object must be explicitly brought to the attention of the individual by companies.

An objection may also be raised against the processing of personal data for direct marketing or profiling purposes. If the data subject objects to processing for direct marketing purposes, the personal data will no longer be processed for these purposes.

In layman's terms:If a person does not have the right to erasure, they can object to the processing straight away and, until the objection has been resolved, they can apply for limited processing of the personal data. See right below.

Right to restrict processing- is also a new right for individuals under the GDPR. Ways to restrict the processing of personal data could include, but are not limited to, temporarily moving selected data to another processing system, making selected personal data unavailable to users, or temporarily removing published data from a website.

In automated processing systems, the restriction of processing should be ensured by technical means so that the personal data are no longer subject to any further processing operations and cannot be altered. The fact that the processing of personal data is restricted should be clearly indicated in the system.

In plain English: If the data subject has any reason, such as a doubt about the processing or an objection to the processing, he or she may request a temporary restriction of the processing.

So..., the rights of the data subject are extensive, not precisely and understandably defined, and only common practice will show how to deal with them and set precedents for behaviour. However, you need to prepare now, before the GDPR comes into force, and prepare the mechanisms and technical procedures you will use to implement citizens' rights. Contact a company specialising in this issue as soon as possible. Consult, take advice, leave some of the worries to them and focus on your business instead!

Source: www.gdpr.cz