Your Personal Data Rights Made Easy
Despite growing awareness of the GDPR, only 36% of Europeans can confidently say that they have heard of the GDPR and know exactly what it is. It seems that the GDPR continues to be unclear to individuals and organizations alike.
Of course, most people (about 60%) have heard about their right to access their personal data or to have that data be deleted. But what about the various other rights guaranteed by the regulation and all the nuances of how to exercise them?
Have you heard about the right to restriction? Are you aware that the one month deadline can be extended? Do you know what rights you have when it comes to automated processing?
If you still think the GDPR confusing and have been finding most guides difficult to understand, this blog post is for you! Read on to learn more about the basics (and not-so-basics) of your personal data rights.
Your Rights – The Basics
What is personal data?
Simply put, personal data is any information about a living person that can identify (directly or indirectly) that person. For example, names, ID numbers, and IP addresses can all help identify an individual.
It is also important to note that the GDPR only applies to personal data in two cases:
- when the personal data is at least partially processed by automated means
- when the data forms part of a filing system (even if the processing is not automated)
What rights does the GDPR give me?
Right to be informed:
Right of access:
The right to know if an organization is using your personal data. Your right of access is exercised through a subject access request (a request for a copy of the data they are using).
Right to rectification:
The right to change incorrect details or add more details to the data that an organization holds about you.
Right to be forgotten:
The right to have your personal data be deleted by an organization. However, this right does not apply in ALL circumstances.
Right to restriction:
The right to limit the ways in which your personal data is used by an organization.
Right to object:
The right to object to a company using your personal data, if the data is being used for specific purposes like direct marketing.
Right to data portability:
The right to get a machine-readable copy of the personal data an organization has about you and to have them transfer it to a different organization. This is similar but not the same as the right to access.
Rights related to automated processing:
The various rights related to profiling and decision make done without the involvement of humans. They include your right to find out how decisions were made, involve a human in certain decision making, and object in certain circumstances.
Right to lodge a complaint:
The right to file a complaint with a supervisory authority (including a data protection authority), if you feel like your rights have been violated.
Can a company say refuse my request?
Yes, depending on what you are requesting, a company can decline your request for various reasons. For instance, if you request a copy of your data and it contains information about other individuals, your request can be refused. Organizations can also refuse any requests found to be “manifestly unfounded or excessive”.
How long will it take a company to respond?
Organizations have 1 calendar month to respond to you. The countdown starts on the day they receive the request.
Companies CAN extend the deadline by up to an additional 2 months. However, they must let you know they need extra time within the initial month.
Your Rights – Useful To Know
Right to access vs. Right to data portability
While similar, these two rights have two key differences:
- Data portability ONLY applies to data being held electronically
- Data portability ONLY applies to information you have provided the organization with (including the data gathered from monitoring your activities)
An organization can (potentially) charge money for a request
Your request should be addressed for free. However, the GDPR does allow an organization to charge a reasonable fee in certain circumstances. For instance, if you request multiple copies of your data, the organization can potentially charge a fee based on the administrative costs.
Organizations should inform you of why they have refused your request
If an organization refuses your request, it should provide you with an explanation or justification. For instance, if an organization decides not to correct some details, it must explain why it believes the data is accurate as it is. Similarly, if an organization refuses to delete your data, they must explain the reason why it does not have to delete your data.
The right to be forgotten does not apply in ALL situations
A common myth is that the right to be forgotten is absolute. In reality, the right only applies in certain circumstances, including situations when you originally provided consent for the processing of your data but decide to withdraw it. Less common circumstances that are applicable include unlawful collection of data and situations where the organization is legally obligated to delete your data.
Organizations can also refuse your request if one of the following applies:
- the organization is legally obligated to retain the data
- the information is needed to exercise the right of freedom of expression
- the information is needed for public interest reasons (e.g. scientific research, public health, etc.)
You can only object in certain circumstances
To object to the processing of your data, you must first confirm that the organization is using the data for one of the following purposes:
- Direct marketing
- Scientific, statistical or historical research
- Legitimate interests of the company
- A public interest task
You probably cannot get that article about you deleted
In most cases, you probably will not be able to delete articles written about you. This is because the GDPR recognizes the need for a balance between data protection and freedom of expression, and allows for various exceptions and restrictions when it comes to media and journalistic content. However, depending on your situation, you may have other options. You may wish to consult a lawyer to discuss your options.
More on timelines
The one (calendar) month countdown begins on the day that the organization receives your request. But, in the UK, if the end date falls on a holiday or weekend, they have until the next business day to reply. Additionally, if you submit your request in a month that has more days than the following month the organization has until the last day of the following month to reply. Moreover, if the last day falls on a holiday or weekend, then the deadline is moved to the next working day.
Here is an example to make it clearer:
- You submit your request to an organization on January 31, 2020. They receive it on the same day.
- February only has 29 days. Therefore, the deadline moves to March 1st.
- However, in 2020, March 1st happens to fall on a Sunday. This means the deadline is moved once more – to March 2nd.
Like most laws and regulations, the GDPR can be difficult to understand. However, knowing even the basics of your rights means being able to make decisions about your data and how others use it. So, hopefully, having read this guidance you can put your newfound knowledge to use and begin to defend your personal data rights.
Please note: This guidance provides a general overview of the GDPR. However, a number of other nuances exist within the regulation. Moreover, your country most likely has its own localized laws and regulations (e.g. different laws for children, cookie consent rules, etc). As such, we suggest that if you have a specific question about data protection in your country that you visit the website of your country’s data protection authority.
To learn more about your rights and what is going on in the world of privacy, we invite you to follow us on Instagram, Facebook, and Twitter. You might even win a prize by using your new data privacy knowledge in one of our contests.