The GDPR describes 8 privacy rights that a data subject can invoke to protect themselves against an infringement of the right to privacy. Privacy rights allow data subjects to determine how organizations handle the processing of their personal data. The General Data Protection Regulation (GDPR) has regulated privacy legislation in EU countries, including the Netherlands, since May 25, 2018. With the introduction of the GDPR in the Member States, the right to privacy for data subjects has been expanded and organizations are less likely to infringe the right to privacy of data subjects.
GDPR: Privacy rights that protect data subjects in personal data processing
- What is the right to privacy?
- GDPR: privacy rights that protect the privacy of data subjects when processing personal data
- Right to data portability
- Right to be forgotten
- Right of access
- Right to restriction of data processing
- Right to rectification and addition
- Right to clear information
- Right regarding automated decision-making and profiling
- Right to object
What is the right to privacy?
The GDPR aims to better protect the right to privacy of people from the EU from May 25, 2018. Due to the privacy rights of those involved, organizations are less likely to infringe the right to privacy of those involved. Everyone in the Netherlands has the right to have his/her personal privacy respected. A violation of the right to privacy occurs less often due to the privacy rights that data subjects can invoke. A data subject can invoke privacy rights to decide for himself or herself about the processing of his or her ‘personal data’ by organizations. The person about whom an organization processes personal data is called a ‘data subject’. The right to privacy is described in Article 10 paragraph 1 of the Constitution (Gw):
,Everyone has the right to respect for his or her personal privacy, subject to limitations set by or pursuant to the law, (Article 10(1) of the Dutch Civil Code).
The GDPR introduces two ‘new’ privacy rights:
- right to be forgotten
- right to data portability
GDPR: privacy rights that protect the privacy of data subjects when processing personal data
The GDPR describes 8 privacy rights that all EU citizens can rely on. Every data subject can invoke privacy rights with regard to the personal data that organizations process about him/her and thus take action against an infringement of his/her right to privacy.
The privacy rights of data subjects according to the GDPR:
- right to data portability
- right to be forgotten
- right of access
- right to limit data processing
- right to rectification and addition
- right to clear information
- right regarding automated decision-making and profiling
- right to object
Right to data portability
The ‘right to data portability’ of a data subject concerns the right to portability of personal data. In practice, the right to data portability means that someone from an organization can request the personal data that the organization has processed about him/her. A data subject can store this data for his own use and/or forward it to another organization. If a data subject requests an organization to forward personal data to another organization, this organization must comply if this is reasonably possible.
Article 20 of the GDPR describes the right to data portability. A data subject can invoke the right to data portability if:
- the data subject has given the organization permission to process his/her personal data for one or more specific purposes;
- the processing is necessary for the performance of a contract to which the data subject is party, or in order to take steps at the request of the data subject before entering into a contract;
- the processing is carried out via automatic processes.
Right to be forgotten
The ‘right to be forgotten’ of a data subject concerns the right to ask an organization to delete his/her personal data. A person has the option to withdraw permission previously given to an organization to process his/her personal data at a later time. This right prevents infringement of the right to privacy by organizations. Article 17 of the GDPR describes the cases in which someone may withdraw his/her consent to the processing of personal data. An example is when an organization no longer has an interest in having personal sensitive information. An organization is obliged to comply with a request for deletion of personal data, unless an organization can claim one of the GDPR bases. For example, an organization can refuse a request for deletion of personal data of a data subject if there is a statutory retention period.
Example: missing interest in personal data processing
An example: if someone decides to switch to another pharmacy, the previous pharmacy no longer has an interest in processing or possessing the personally sensitive information about the data subject. The specific purpose for which the data subject previously granted permission to this pharmacy no longer has to apply if another pharmacy starts carrying out the work to achieve this purpose.
Right of access
The ‘right of access’ of a data subject is the right to view the personal data that an organization has processed about a data subject. A data subject can request access from the organization and ask what data this organization has processed about him/her. Data subjects can also ask the organization who in the organization can view the processed personal data, and for what purpose the organization processes personal data. This right prevents invasion of privacy, because when a data subject requests an organization to inspect his/her personal data, the organization is obliged to provide this information to the data subject.
Article 15 of the GDPR describes the right of access. A data subject has the right to inspect data about:
- the processing purposes;
- the categories of personal data;
- the (categories of) recipients to whom the personal data have been/will be provided;
- the period for which the personal data will be stored (and if this is not possible, the criteria that determine the period);
- the right of the data subject to request from the responsible organization that personal data be amended or deleted, or that processing of personal data be restricted, and the right to object to such processing;
- the right of the data subject to lodge a complaint with a supervisory authority;
- if the data is not collected from the data subject, all available information about the source of that data;
- the existence of automated decision-making including certain forms of profiling and information about the logic and significance and envisaged consequences of such processing for the data subject.
Right to restriction of data processing
The ‘right to restriction of data processing’ of a data subject is the right, in certain cases, to require an organization to no longer use his/her processed personal data. This privacy right of data subjects prevents infringement of privacy, because in this case an organization is no longer allowed to use the (sometimes incorrect or unlawfully processed) personal data of data subjects.
Article 18 of the GDPR describes the right to restriction of data processing and states that a data subject may demand restriction of processing in cases where:
- there is doubt as to whether the personal data processed is correct;
- there is unlawful processing of personal data whereby a data subject may prefer to have it restricted rather than deleted;
- a data subject needs these personal data for the establishment, execution or substantiation of a legal claim, while an organization no longer needs the personal data for the (specific) purpose of personal data processing;
- a data subject objects to processing because an organization wrongly states that there are legitimate grounds for the processing that outweigh its own grounds.
Right to rectification and addition
The ‘right to rectification & addition’ of a data subject is the right to request an organization to change the personal data that an organization has processed about him/her. This right of data subjects protects them against an infringement of the right to privacy.
In the following cases, a data subject can request an organization to rectify and/or supplement his/her processed personal data:
- The personal data is factually incorrect in whole or in part .
- The personal data is wholly or partly incomplete .
- The personal data are wholly or partly irrelevant to the purpose of the processing.
- The personal data is in whole or in part contrary to a legal provision.
Right to clear information
The ‘right to clear information’ of a data subject concerns the right to clear (and written) information about the purpose and reason for which an organization processes personal data. Organizations must comply with the information obligation: organizations must inform all data subjects about whom they store or forward personal data to another organization about which data they store or forward and for what specific purpose this is done.
Article 13 and Article 14 GDPR describe what information an organization must provide to a data subject:
- name and address of the organization;
- contact details of the data protection officer;
- processing purposes and legal grounds for the processing;
- information about the legitimate interests if the processing is necessary for the legitimate interests of the controller or a third party;
- recipients or categories of recipients of the personal data;
- period during which the organization processes the personal data;
- right of the data subject to file a complaint with a supervisory authority;
- on the basis of the processing of personal data.
Right regarding automated decision-making and profiling
Every data subject can invoke his/her ‘right with regard to automated decision-making and profiling’. This is the right on the basis of which a data subject can ask an organization to make a decision based on a human perspective .
Decision based on a human view
Automated decision-making occurs if an organization makes an automated decision based on previously processed data. This is the opposite of a ,human view, decision, which involves a decision made by a human.
Profiling
The GDPR defines ‘profiling’ as: ,the automatic processing of personal data for the purpose of evaluating the personal aspects of someone,. Some examples of personal aspects that an organization could evaluate using automatically processed personal data are:
- health
- economic situation
- personal preferences
- interests
- reliability
- career
- behaviour
Right to object
A data subject’s ‘right to object’ concerns the right to ask an organization to stop using his/her personal data in whole or in part. This is possible when the organization uses the personal data for marketing purposes or when there are special personal circumstances of the data subject. If a data subject asks an organization to no longer use his/her personal data in whole or in part for marketing purposes, this organization is obliged to comply. Data subjects can invoke this right and thus stop an infringement of their right to privacy.
A data subject may invoke the right to object if one of the following two situations occurs:
- An organization uses personal data for marketing purposes .
- There are special personal circumstances to exercise the right to object.
Special personal circumstances
If a data subject invokes the right to object in connection with special personal circumstances, the data subject must first demonstrate that there is a shortcoming in the lawfulness of the processing. Such a shortcoming exists if an organization cannot rely on one of the GDPR principles. In that case, an organization must immediately stop processing, unless there are compelling legitimate grounds that outweigh the rights, freedoms and interests of the data subject.
read more
- GDPR: What is the meaning of accountability?
- General Data Protection Regulation (GDPR) in short