1 / 49

Topic 3: The rights of the data subject and their exercise

Topic 3: The rights of the data subject and their exercise. Guidance for using these slides ( remove before delivering ).

lavi
Download Presentation

Topic 3: The rights of the data subject and their exercise

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Topic 3: The rights of the data subject and their exercise

  2. Guidance for using these slides (removebeforedelivering) These slides are meant to be easily adaptable to different audiences. To facilitate this, each slide is assignedto a specificaudience (see „relevant for:” in the notes). In the notes-section below each slide, you find an indication of the slide’s degree of difficulty [i.e. whether it is suited for data protection beginners or not], its target audience [everyone vs authorities, lawyers, data protection officers, etc.], and its degree of importance [whether it is essential that you deliver it, or if it can be removed without impacting the effectiveness of the training]. Prior to training delivery, please: Read the slides and the notesthoroughly Take a look at the readingmaterials – theyalsoservetoassistyou in your preparation Remove/hide the slides that you consider unnecessary [right click on the slide miniature on the left and click ‘hide slide’]. A provisionalcategorisation has beenmadebasedon the depth and importance of the respectivecontent Adjust slides to national or sectoral requirements Add content that you consider essential for your particular audience Feel free to replace the default layout with your organisation’s layout

  3. How to Read The Slides’ Colour Frames [Remove Before Delivering] Green – Is a basic slide: we encourage you to keep it Yellow – is a medium level slide: it is important, but does not jeopardise effectiveness if removed Red – is an advanced slide: consider adapting it to your audience, preparing your audience for it, or removing it if you deem it unnecessary Purple – advised adaptation: this slide should contain information regarding the national legislation complementing the EU Regulations; if the content regards a different Member State, we advise you replace it with the national, relevant content

  4. Speaker Name Title Department Contact details

  5. Theseslidesexplore the rights of the data subject in relation to the processing of their personal data, how organisations have an obligation to respect these and good practices to implement those rights in data processing. This material will help trainees to understand and protect the rights of data subjects and build systems and structures to help data subjects exercise their rights and minimise their exposure to enforcement actions of administrative and/or contractual/tortious nature. 

  6. Table of contents • Information to be provided prior to the processing • Where data has beenobtainedfrom the datasubject • Where data has notbeenobtainedfrom the datasubject • Rights of the datasubject • Right of access by the data subject • Right to rectification • Right to erasure (‘right to be forgotten’) • Right to restriction of processing • Right to data portability • Right to object • Exercising the rights of the datasubject • Remedies

  7. Information to be provided prior to the processing - data has beenobtainedfrom the datasubject • at the time when personal data are obtained  • Regardless of the legal basis • the identity and the contact details of the controller and, where applicable, of the controller's representative  • the contact details of the data protection officer, where applicable  • the purposes of the processing for which the personal data are intended as well as the legal basis for the processing  • the legitimate interest(s), as legal basis, pursued by the controller or by a third party  • the recipients or categories of recipients of the personal data, if any • where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation

  8. the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period; • the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability; • where the processing is based on the consent of the data subject (or his or her representative), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal; • the right to lodge a complaint with a supervisory authority; • whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data; • the existence of automated decision-making, including profiling and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. 

  9. Example for preliminaryinformation

  10. Information to be provided prior to the processing - data has notbeenobtainedfrom the datasubject • Additionally to the previous requirements • the categories of personal data concerned • from which source the personal data originate, and if applicable, whether it came from publicly accessible sources • within a reasonable period after obtaining the personal data, but at the latest within one month, having regard to the specific circumstances in which the personal data are processed; • if the personal data are to be used for communication with the data subject, at the latest at the time of the first communication to that data subject; or • if a disclosure to another recipient is envisaged, at the latest when the personal data are first disclosed. 

  11. Exceptions the data subject already has the information; the provision of such information proves impossible or would involve a disproportionate effort; obtaining or disclosure is expressly laid down by Union or Member State law to which the controller is subject and which provides appropriate measures to protect the data subject's legitimate interests; or where the personal data must remain confidential subject to an obligation of professional secrecy regulated by Union or Member State law, including a statutory obligation of secrecy. 

  12. Table of contents • Information to be provided prior to the processing • Where data has beenobtainedfrom the datasubject • Where data has notbeenobtainedfrom the datasubject • Rights of the datasubject • Right of access by the data subject • Right to rectification • Right to erasure (‘right to be forgotten’) • Right to restriction of processing • Right to data portability • Right to object • Exercising the rights of the datasubject • Remedies

  13. Rights of the data subject Right of access by the data subject Right to rectification Right to erasure (‘right to be forgotten’) Right to restriction of processing Right to data portability Right to object

  14. Right to access by the data subject • Mode of accessibility • without constraint • reasonable interval • without excessive delay or expense • in an intelligible form • Obtain information from the controller about: • the purposes of the processing • the categories of personal data concerned • the recipients or categories of recipient to whom the personal data have been or will be disclosed  • the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period  • the existence of the right of access to and the right to rectify the data concerning him

  15. the right to lodge a complaint with a supervisory authority  • where the personal data are not collected from the data subject, any available information as to their source  • the existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject  • The controller shall provide a copy of the personal data undergoing processing • For further copies the controller may charge a reasonable fee based on administrative costs 

  16. Example for the righttoaccess

  17. Personal Data Request Facebook

  18. Personal Data Request Twitter

  19. Schengen access rights Schengen Information form (www.ip-rs.si)Request for Information on Data in the Schengen Information System in Slovenia  According to Art. 41 of the Regulation (EC) No 1987/2006 of the European Parliament and of the Council of 20 December 2006 on the establishment, operation and use of the second generation Schengen Information System (SIS II) and Art. 58 of the Council Decision 2007/533/JHA of 12 June 2007 on the establishment, operation and use of the second generation Schengen Information System (SIS II) in connection with Art. 30 and 31 of the Personal data protection Act (Official Gazette of the RS No. 94/2007, official consolidated text, hereinafter: ZVOP-1) I hereby demand Information about the personal data relating to me being processed in the Schengen information system. 1. Information about me: First name: ____________ Last name: ____________ Address (street, town, postal code): ____________ Date of birth: ____________ Place of birth: ____________ Nationality: ____________ Information: These data serve as identifiers to search the SIS database reliably for data relating to you, and to mail the information to you. Please make sure the spelling is correct and avoid mistakes. The data you give here are not going to be additionally stored in SIS. Only the fact that the SIS has been searched for your data is recorded in the system’s log files. 2. Further information relating to this request (please mark with a cross [ x ]): Information: The following information is voluntary and helps to speed up the process. [ ] I was refused a Slovene Visa, a residence permit or a permanent residence permit [ ] [ ] I was refused entry to Slovenia at the following border control station ____________ . [ ] Other: ____________ Place and date: Signature: APPEAL The Slovenian body competent to rule on the appeal submitted by an individual whose request to review personal data pertaining to him/her has either been refused or unanswered, shall be the Information Commissioner, which shall also be competent to perform the supervision over implementation of the right to correct incorrect data or delete illegal personal data in Slovenia. Address: Information Commissioner, Zaloška 59, 1000 Ljubljana. Telephone: 01 230 97 30, fax: 01 230 97 78, e-mail: gp.ip@ip-rs.si, web page: http://www.ip-rs.si.

  20. Right to rectification • Correction and/or completion • rectification of inaccurate personal data • to have incomplete personal data completed, including by means of providing a supplementary statement • Limitations: • Identification of the requester • Protection of others’ rights and freedoms • Purpose of the request

  21. Example for the righttorectification Ciubotaru v. Moldova applicant was unable to change the registration of his ethnic origin in official records from Moldovan to Romanian he had been able to provide objectively verifiable links with the Romanian ethnic group applicant was required to provide evidence that his parents had belonged to the Romanian ethnic group. historical realities of Moldova - insurmountable barrier to registering an ethnic identity other than the one recorded in respect of his parents by the Soviet authorities. the State had failed to comply with its positive obligation to secure to the applicant effective respect for his private life.

  22. Erasure (“right to be forgotten”) • Erasure of personal data without undue delay in case: • the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; • the data subject withdraws consent on which the processing is based thereon and where there is no other legal ground for the processing; • the data subject objects to the processing; • the personal data have been unlawfully processed; • the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject; • the personal data have been collected in relation to the offer ofinformation society services referred to in Article 8(1). • When the data has been made public the controller must take reasonable steps, to inform other controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data

  23. Example for the rightto be forgotten Google Spain case Requestto Google to delete outdated information regarding financial difficulties about the applicant from its search list results Google claimedit merely provides a hyperlink to the publisher’s web page While indexing content Google becomes a data controller to which responsibilities and obligations under EU law apply the right to have one’spersonal data erased when the processing is outdated or no longer necessary also covers data controllers that replicate the information

  24. Right to be forgotten - exceptions exercising the right of freedom of expression and information; compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject performance of a task carried out in the public interest exercise of official authority vested in the controller; reasons of public interest in the area of public health; archiving purposes in the public interest, scientific or historical research purposes or statistical purposes if the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; establishment, exercise or defence of legal claims

  25. Right to restriction of processing • Processing can be restricted where one of the following applies: • the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data; • the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead; • the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; • the data subject has objected to processing pending the verification whether the legitimate grounds of the controller override those of the data subject.

  26. Where processing has been restricted, such personal data shall, with the exception of storage, only be processed: • with the data subject's consent • for the establishment, exercise or defence of legal claims • for the protection of the rights of another natural or legal person • for reasons of important public interest of the Union or of a Member State.  • Notification of data subject prior to the restriction of processing

  27. Example for the restriction of processing The datasubjectexerciseshisorherright Restrictionoccurswhile the datacontrollerconfirmsaccuracy

  28. Right to data portability • The data subject shall receive the personal data in a • structured, • commonly used • machine-readable format • and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where: • (a) the processing is based on consent or on a contract; • (b) the processing is carried out by automated means. • the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible. • The exercise of the right shall be without prejudice to the right to be forgotten. That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. • The right to data portability shall not adversely affect the rights and freedoms of others. 

  29. Example for the righttodataportability Switching between Android OS and iOS and transferring the personalsettings and userdata

  30. Right to object • The data subject can object at any time to processing of personal data which is based on the necessary for the performance of a task carried out in the public interest or the legitimate interests of the controller, including profiling based on those provisions. • The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims. • Furtherpossibility to object against the processing of personal data in the context of: • Direct marketing • Information society services • Scientific or historical research or statistical purposes  

  31. Example for the righttoobject Lecce v. Manni legitimate purpose of the disclosure of personal data in the company registry Mr Manni did not have a right to obtain the erasure of his personal data from the company registry responsibility of the national courts to assess the legitimate and overriding reasons for objection For Mr Manni, the mere fact that disclosure of his personal data in the register allegedly affected his clientele, cannot be considered as constituting such a legitimate and overriding reason Potential clients of Mr Manni have a legitimate interest in having access to the information about the bankruptcy of his old company.

  32. Automated individual decision-making, including profiling • right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her • Exception: • necessary for entering into, or performance of, a contract between the data subject and a data controller; • authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; • based on the data subject's explicit consent.  • In case of the exceptions the data controller shall implement suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision • Exception of exception: • When the decision would be based on special categories of data, except when the processing is based on consent or is necessary for reasons of substantial public interest and suitable measures to safeguard the data subject's rights and freedoms and legitimate interests are in place. 

  33. Example for profiling • Creating and maintaining an online userprofilewhichservesas the basis of the provision of personalisedcontent • Advertisements • Media • Anyaudiovisualcontent • Personalrating in China

  34. Questions?

  35. Table of contents • Information to be provided prior to the processing • Where data has beenobtainedfrom the datasubject • Where data has notbeenobtainedfrom the datasubject • Rights of the datasubject • Right of access by the data subject • Right to rectification • Right to erasure (‘right to be forgotten’) • Right to restriction of processing • Right to data portability • Right to object • Exercising the rights of the datasubject • Remedies

  36. 3. Exercising the rights of the datasubject

  37. Transparent information, communication and modalities for the exercise of the rights of the data subject  • The controller shall take appropriate measures to provide any information relating to processing to the data subject in • concise, • transparent, • intelligible • easily accessible form, • using clear and plain language (in particular for any information addressed specifically to a child), • in writing, or by other means, • including, where appropriate, by electronic means. • When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means

  38. The controller shall facilitate the exercise of data subject rights • The controller shall provide information on action taken on a request to exercise a right to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. • Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject. • If the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy. • Communication should be free of charge • In case of excessive or unfounded communication reasonable fee might be charged or the action can be refused • Standardised icons can be used

  39. Restrictions • Union or Member State law to which the data controller or processor is subject may restrict the scope of the obligations and rights when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard: • national security; • defence; • public security;  • the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security; • other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, including monetary, budgetary and taxation a matters, public health and social security; • the protection of judicial independence and judicial proceedings; • the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions; • a monitoring, inspection or regulatory function connected, even occasionally, to the exercise of official authority in the cases referred to in case of national security, other important objectives of general public interest and the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions • the protection of the data subject or the rights and freedoms of others; • the enforcement of civil law claims. 

  40. Questions?

  41. Table of contents • Information to be provided prior to the processing • Where data has beenobtainedfrom the datasubject • Where data has notbeenobtainedfrom the datasubject • Rights of the datasubject • Right of access by the data subject • Right to rectification • Right to erasure (‘right to be forgotten’) • Right to restriction of processing • Right to data portability • Right to object • Exercising the rights of the datasubject • Remedies

  42. 4. Remedies

  43. Representation of the datasubjects • to mandate • a not-for-profit body • Organisation • Association • Characteristics of this entity: • properly constituted in accordance with the MS law • has statutory objectives which are in the public interest • active in the field of the protection of data subjects' rights and freedoms with regard to the protection of their personal data to lodge the complaint on his or her behalf • to exercise the rights on behalf of the data subject • Such entities might have the right to lodge, in that Member State, a complaint with the supervisory authority

  44. Right to lodge a complaint with a supervisory authority in particular in the Member State of his or her habitual residence place of work place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes GDPR the respective supervisory authority shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy

  45. Right to an effective judicial remedy • data subjects have the right to an effective judicial remedy • where they considers that their rights have been infringed as a result of the processing of their personal data • Place of proceedings: • in the Member State where the controller or processor has an establishment • in the Member State where the data subject has his or her habitual residence • Exception: if the controller or processor is a public authority of a Member State acting in the exercise of its public powers

  46. Rightto compensation • who has suffered material or non-material damage as a result of an infringement of the GDPR shall have the right to receive compensation from the controller or processor for the damage suffered. • Controller(s) involved in processing shall be liable for the damage caused • Processor(s) shall be liable for the damage caused by processing • where it has not complied with obligations of this Regulation specifically directed to processors • where it has acted outside or contrary to lawful instructions of the controller. • each controller or processor shall be held liable for the entire damage - to ensure effective compensation • once full compensation is paid, the controller or processor is entitled to claim back from the other controllers or processors involved part of the compensation corresponding to their part of responsibility

  47. Questions?

  48. Evaluation and feedback Evaluation forms Attendance sheet

  49. Credits These training materials are based on standard training materials developed in the context of the project “Supporting Training Activities on the Data Protection Reform” – STAR (http://www.project-star.eu/). This project has received funding from the European Union under the REC Action Grant programme. Grant Agreement No 769138 (2017-2019). The default version of training materials are available free-of-charge on the STAR project website

More Related