How should requests from individuals be dealt with?
Individuals may contact a company/organisation to exercise their rights under the GDPR (rights of access, rectification, erasure, portability, etc.).
Where personal data is processed by electronic means, the company/organisation should provide means for requests to be made electronically. The company/organisation must reply to any requests without undue delay, and in principle within 1 month of the receipt of the request.
The company/organisation which has received a request from an individual to exercise his or her rights can ask for additional information in order to confirm that individual’s identity.
If the company/organisation rejects the request, it has to inform the individual concerned of the reasons for doing so and of their right to file a complaint with the Data Protection Authority and to seek a judicial remedy before a court.
Any request from an individual concerning the exercise of his or her rights under the GDPR must be dealt with free of charge. However, where requests are manifestly unfounded or excessive, in particular because of their repetitive character, a company/organisation may charge a reasonable fee or refuse to act. The burden of proof of demonstrating the unfounded or excessive nature of a request lies on the company/organisation.
Example
A person who accessed all his personal data several times in the months before, lodges again a request for access to the same personal data.
A company/organisation may consider either requesting a reasonable fee or informing that person that his or her request is rejected, if it appears to be an abusive intention in the sense that that person has submitted requests in circumstances where it was not objectively necessary for the individual to do so to obtain protection for his or her rights under the GDPR.
References
- Article 12 and Articles 15 to 22 and Recitals 59 and 63 to 71 of the GDPR
- EDPB guidelines 01/2022 on data subject rights - right of access
- Guidelines on the right to data portability under Regulation 2016/679, WP242 rev.01
- Guidelines 5/2019 on the criteria of the right to be forgotten in the search engines cases under the GDPR (part 1)
What personal data and information can an individual access on request?
When someone requests access to their personal data, a company/organisation must:
- confirm whether or not it is processing personal data concerning them;
- provide a copy of the personal data it holds about them;
- provide information about the processing (such as purposes, categories of personal data, recipients, etc.).
A company/organisation must provide the individuals requesting access to their personal data with a copy of those data free of charge. However, a reasonable fee can be charged for further copies based on administrative costs.
The exercise of the right of access is closely linked to the exercise of other rights, for instance the right to rectification and the right to data portability - to allow the individual to get their inaccurate data corrected and to transmit or to get their personal transmitted data to another company/organisation.
Example
A company/organisation provides an online social networking service whereby individuals can exchange messages and pictures. A user requests to access their personal data and to verify what personal data is being processed.
The company/organisation must confirm that it is processing personal data of that user and provide a copy of this data (such as the name, contact details, messages and pictures exchanged).
The company/organisation must also provide information about the processing - usually that information would be available also in the privacy notice of the company/organisation.
References
Can an individual ask for their personal data to be corrected or complemented?
If an individual believes that their personal data might be incorrect or inaccurate they can ask the company or organisation processing those data to correct them.
This must be done without undue delay (in principle within 1 month). Alternatively, the company/organisation must justify in writing why the request cannot be accepted.
When the personal data held by a company/organisation is correct but it is incomplete and an individual concerned asks to supplement those data, the company/organisation may have to do so taking into account the purposes of processing those personal data.
Example
A credit bureau processes information concerning an individual provided by his or her former landlord. The information states among other things that the individual owes the landlord 3 months’ rent. The same individual has just won a legal dispute and the claim for the 3 months’ rent was ruled to be unfounded.
The credit bureau must correct that data so that the individual is not put at a disadvantage in the future when credit requests are processed.
References
What happens if an individual asks for their personal data to be deleted?
Individuals havethe right to ask for their personal data to be deleted and companies/organisations have an obligation to do so without undue delay in certain cases. For instance, if those data are not needed any longer for the purpose for which they were collected, or if the processing is based on individual’s consent which is withdrawn.
A company/organisation must also erase any personal data that were collected in the context of information society services when the individual concerned was still a minor or if the personal data has been processed unlawfully.
However, there is no obligation for a company/organisation to delete personal data in the following cases:
- the personal data held by a company/organisation is needed to exercise the right of freedom of expression;
- there is an obligation based on law to keep that data;
- the personal data is needed for the task carried out by a public authority;
- the personal data is needed for reasons of public interest (for example public health; archiving scientific, or historical research purposes, or statistical purposes); or
- the personal data is needed for the exercise of legal claims.
With regard to the right to be forgotten online, companies/organisations are expected to take reasonable steps (for example technical measures) to inform other websites that a particular individual has requested the erasure of their personal data.
Data can also be kept if it has undergone an appropriate process of anonymisation, provided that such data does not anymore allow to identify the person concerned.
Examples
Personal data do not have to be deleted
A company/organisation runs an online newspaper. One of its journalists publishes a story on how a politician had laundered money in off-shore banks.
The politician requests to remove the story because he considers that his personal data is being unlawfully processed.
Since the personal data is used to exercise the right of freedom of expression and information, the company/organisation is, in principle, not obliged to delete such data. However, this will also depend on the national legislation in place.
References
What happens if an individual asks to restrict the processing of their personal data?
Generally speaking, in cases where it is unclear whether and when personal data will have to be deleted, an individual has the right to obtain a restriction of processing of his or her personal data. A company/organisation has to restrict the processing when:
- the individual whose personal data is concerned has contested the accuracy of the data but the company/organisation needs time to verify the accuracy of that personal data;
- the processing is unlawful but the individual whose personal data is concerned does not want the data to be erased;
- the data is no longer needed for the original purpose but may not be deleted yet because the individual whose personal data is concerned need them for the exercise of legal claims; or
- the individual whose data is concerned has objected the processing but the company/organisation needs time to verify whether it has a legitimate ground to continue processing (Article 21 GDPR).
‘Restriction’ means that a company/organisation may not process individual’s personal data, with the exception of storage, unless: 1) the individual concerned has given consent to that processing, 2) for the establishment, exercise or defence of legal claims, 3) for the protection of the rights of another natural or legal person, or 4) for reasons of important public interest of the EU or of an EU Member State.
The individual who has obtained the restriction must be informed before it is lifted.
Example
A new bank on the domestic market offers good home loan deals. An individual buying a new house decides to switch banks and, therefore, asks the ‘old’ bank to close down all accounts and delete all related personal data.
The old bank, however, is subject to a law obliging banks to store all customer details for 10 years. The old bank is legally obliged to store that personal data but the individual concerned can still ask the bank to restrict its processing to make sure that it is not accidentally used for unwanted purposes.
References
What happens if an individual objects to a company/organisation processing their personal data?
Individuals have the right to object to the processing of their personal at any time for specific reasons. Whether such a specific situation exists must be examined on a case-by-case basis.
They may raise an objection only in cases where:
- a company is processing the data on the basis of its legitimate interests; or
- an organisation, including a public authority, is processing the data in the context of its public task, based on law.
In such cases, a company/organisation may no longer process the personal data unless it demonstrates that it needs to do so for compelling legitimate reasons that override the rights and freedoms of the individual, or if the data is necessary for the establishment, exercise or defence of legal claims.
Individuals also have a right to object at any time to the processing of their personal data for direct marketing purposes. Direct marketing is understood under the General Data Protection Regulation as any action to communicate advertising or marketing material, aimed at particular individuals.
A company/organisation must explicitly inform individuals in its privacy notice or at the latest at the time of the first communication with individuals that it will be using their personal data for direct marketing and that they have a right to object free of charge.
Where a person objects to processing for direct marketing purposes, the company/organisation may no longer process their personal data for such purposes.
Example
In the insurance sector, very often personal data is needed for the defence of legal claims in the case of anti-fraud or anti-money laundering measures.
In those cases, insurance companies may refuse to uphold an individual’s request to object to processing.
References
Can an individual ask to have their data to be sent to another company/organisation?
Individuals have the right to data portability, that is to receive from a company/organisation the personal data which concerns them and which they provided to that company/organisation, in a structured machine-readable format, and to have it transmitted to another company/organisation, where it is technically feasible.
The right may only be exercised where personal data was collected in the context of a contract or on the basis of consent, and such data is processed by automated means.
Example
A client plans to change from one music streaming service to another and wants in this context to ensure that the playlists she has created can be used also in the new service.
To do so, she can ask her current service provider to provide her playlists in a machine-readable and interoperable format which allows her to transmit the relevant data to her new service provider without hindrance.
She can also ask the current service provider to directly transmit those data to the new service provider; however, there is no obligation to do so unless it is technically feasible for instance due to technically incompatible systems.
References
Are there restrictions on the use of automated decision-making?
Individuals should not be subject to a decision that is based solely on automated processing of personal data (such as algorithms) and that is legally binding or which affects them in a similarly significant way.
A decision may be considered as producing legal effects when the individual’s legal rights or legal status are impacted (such as their right to vote, for example).
In addition, processing can significantly affect an individual if it influences their personal circumstances, their behaviour or their choices (for example an automatic processing may lead to the refusal of an online credit application).
The use of automated processing for decision-making is authorised only in the following cases:
- the decision based on the algorithm is necessary (i.e. there must be no other way to achieve the same goal) to enter into or to perform a contract between an individual and a company/organisation (for example a contract on a loan or insurance policy);
- a particular EU or national law allows the use of algorithms and provides for suitable safeguards to protect the individual’s rights, freedoms and legitimate interests (for example anti-tax evasion regulations); or
- the individual has explicitly given his consent to a decision based on the algorithm.
However, the decision taken needs to protect the individual’s rights, freedoms and legitimate interest, by implementing suitable safeguards.
Except where such decision-making is based on a law, the individual must be at least informed of (i) the existence of automated decision-making and the logic involved in the decision-making process, (ii) the potential consequences of the processing, (iii) their right to obtain human intervention and (iv) their right to contest the decision.
A company/organisation must therefore make the required procedural arrangements to ensure the human intervention and allow the individual to express their point of view and to contest the decision.
Automated decision-making based on special categories of personal data, such as health data, is only allowed in the following circumstances:
- the individual has given their explicit consent; or
- the processing is necessary for reasons of substantial public interest under EU or national law; and
- suitable measures to ensure individual’s rights and legitimate interests are in place.
Furthermore, if the individual is a child, decisions made solely on automated processing that produce legal effects or effects which are of similar significance for the child should be avoided, because children can be considered a vulnerable group.
Example
A company/organisation is an online bank offering loans. Clients insert their data and an algorithm produces results on whether they should be offered a loan or not and the suggested interest rate.
The company/organisation needs to review the said decision before communicating it to the prospective client and inform him that he may express his opinion and eventually contest the decision, keeping in mind that the individual has the right not to be subject to a decision based solely on algorithms.