Articles 12-22 of the GDPR

The Eight (8) Fundamental Rights that Data Subjects have under the GDPR

The eight (8) fundamental rights that data subjects have under the GDPR are something that individuals and companies should know about. Individuals whose personal data is processed by a company are referred to as “data subjects”. According to the GDPR, there are several different rights that data subjects have regarding their personal data.

The Eight (8) Fundamental Rights that Data Subjects have

Here you can read about the eight (8) fundamental rights that data subjects have under the EU:s General Data Protection Regulation (GDPR). Namely, the right to:

Be informed (Articles 12, 13 and 14)
Access (Article 15)
Rectification (Article 16)
Erasure (Article 17)
Limitation of processing (Article 18)
Data portability (Article 20)
Object (Article 21); and
Rights related to automated decision-making and profiling (Article 22)

In addition to information on the rights set out in the respective relevant articles of the GDPR, further information can be found in recitals 58-73 of the GDPR.

How the company shall handle a data subjects request to have a right fulfilled under the GDPR

Before we describe the above-mentioned eight (8) fundamental rights that data subjects have under the GDPR in more detail, it is important to understand how the company should act when a data subject submits a request to have a right fulfilled. Therefore, we begin by describing the process below and the associated rules around this. This is later followed by a summary of the eight (8) fundamental rights that data subjects have under the GDPR.

What is the time limit for companies when a data subject requests to have a right granted

When a company receives a request from a data subject invoking his or her rights under the GDPR, the company shall handle the request without undue delay. For example, when a data subject requests the erasure of his or her personal data in accordance with article 17 of the GDPR. It is important to keep in mind that the company must handle the request within one (1) month of receipt. This is the main rule.

Extension of the deadline for replying to data subjects’ requests to have a right granted

In some cases, it may be possible for a company to obtain an extension of the deadline according to the main rule. However, in such cases, the data subject must be informed of the extension within the first month. The time limit can be extended for a maximum of further two months, giving the company a total of three months to handle the request.

Please note that the company must be able to justify its decision to the extension and provide the justification to the data subject. An example of when an extension may be considered is if the company has received a large number of requests at the same time. However, very few companies and circumstances can justify a valid extension of the deadline.

Cost for data subjects to exercise their rights

It should not cost data subjects to have their rights under GDPR fulfilled. Thus, according to the general rule, data subjects have the right to have access to information, their personal data corrected, deleted, etc. free of charge. However, there are certain exceptions to this general rule. For example, a company can charge a fee, if the request from the data subject is manifestly unfounded or excessive. For example in case of multiple requests from the same person.

Identifying the data subjects who request to have a right granted

The company needs to be able to identify the data subjects who request to have a right granted. If not, there is a risk that the company will hand over the information to an unauthorized person. In such cases, it would constitute a personal data breach. However, identification must be carried out in a manner that is proportionate and reasonable. For example, it may not be permissible for a company to request a copy of an ID document when identifying a person.

A company had to pay a fine because, inter alia, it had requested a copy of a passport for identification purposes in a case where it was not proportionate. The passport contained more information than was necessary to prove the identity of the data subject.

Therefore, a company can instead consider identifying the data subject by asking other verification questions. For example, by asking questions about the data subject’s history and previous communication with the company, verification of contact details that the company has registered, etc.

Businesses may refuse to grant rights in certain cases

In some cases, a company can refuse to grant a right requested by a data subject. For example, if they cannot identify the data subject. The same applies if granting a right would pose a risk to someone else’s freedoms and rights.

Use technical and organizational measures to enforce the rights

It is important that the company educates its employees about applicable law, to be able to meet the eight (8) fundamental rights that data subjects have under the GDPR. It is also beneficial for companies to draw up the following documentation and to take the following measures:

Privacy notice with information about the processing of personal data

Data subjects have the right to information about the company's processing of their personal data. The information should be in writing and set out in a so-called “privacy notice”. It is beneficial for companies to publish their privacy notice online on their official website. Usually, it is available in the footer of a company's website. It is important to know when the information about the processing should be presented to the data subject. This should always be done in connection with the collection of personal data, if possible. Articles 13 and 14 of the GDPR regulate what the privacy notice must contain in order to meet the minimum requirements. In addition, the privacy notice must be drafted in a way that the recipient understands and in the national language. It should not be too complicated formulated.

Internal procedures that the company's employees must follow when processing personal data

Companies should also establish written internal procedures that employees must implement when processing personal data. For example, routine for erasure of personal data and handling of personal data breaches. In addition to routines, a company can also produce ready-made response templates, to facilitate preservation when a data subject invokes his or her rights under the GDPR. A company also needs to take and implement various technical solutions, in order to protect personal data and to be able to meet the rights of the data subjects.

The eight (8) fundamental rights that data subjects have under the GDPR

Here is a summary of the eight (8) fundamental rights that data subjects have under the GDPR:

Right to be informed (Articles 12, 13 and 14 GDPR)

When a company processes personal data, the company must inform the data subjects about the processing. The company should do this before it starts the processing (if possible) and provide the information free of charge. In addition, the data subject has the right to obtain the information during the processing. In some cases, companies must also inform data subjects when a personal data breach occurs.

Examples of information to be provided about the processing:

- Purpose: The purpose of the processing;

- Legal basis: The legal basis used by the company;

- Storage period: How long the company will store the personal data;

- Rights: The rights of data subjects under the GDPR;

- Complaints: The possibility for the data subject to lodge a complaint with the national supervisory authority;

- Contact details: Contact details of the personal data controller. In addition, the company shall include the contact details of the Data Protection Officer if appointed.

Right of access (Article 15 GDPR)

When a company processes personal data, data subjects have the right to contact the company to find out whether they are processing personal data belonging to them or not. Article 15 of the GDPR regulates this, which constitutes the so-called right of access. In such cases, the data subject has the right to obtain a copy of the personal data that the company processes that belongs to the data subject.

Examples of information to be provided by the company to the data subject:

Purpose: What the purpose of the processing is;

Categories : The categories of personal data that the company processes;

Copy: A copy or summary of the personal data of the data subject that the company processes;

Storage period: The storage duration of the personal data;

Transfers: The parties to whom the company has transferred the personal data to. For example, personal data processors or other third parties;

Origin: Information on how the company obtained access to the personal data. For example, if it is the data subject who provided the information or a third party.

Right to rectification (Article 16 GDPR)

Companies shall not process inaccurate or incomplete personal data. If the company discovers that the personal data is incorrect or incomplete, they shall correct or complete them. Alternatively, the company shall delete the personal data in question.

In addition, data subjects have the right to request the company to rectify personal data that is inaccurate pursuant to Article 16 of the GDPR, which governs the right to rectification. The company shall then carry our the correction without undue delay. Please note that the company must also inform the data subjects after they have made a correction.

Right to erasure (Article 17 GDPR)

According to the GDPR, a data subject has the right to ask a company to delete his or her personal data that the company processes. This follows from Article 17 of the GDPR, which governs the right to erasure. This right is also referred to as the “right to be forgotten”. However, this does not always mean that the company must stop processing and carry out the erasure. There are certain exceptions that allow the company to have the right to continue processing the personal data anyway.

Here are some examples of when companies should delete personal data in the event of such a request from a data subject:

When the company no longer needs to process the personal data;
If the legal basis is consent and the data subject withdraws it. Remember that the consent must be voluntary and actively given according to GDPR;
When the purpose of the processing is direct marketing and the data subject objects to such processing;
If the company has carried out a balancing of interests and has concluded that the company has a legitimate interest. Please note that the company may make a new legitimate interest assessment after receiving the request for deletion. If the company would then still conclude that the company has a legitimate interest, they can continue with the processing. However, the company must justify the assessment including the decision and inform the data subject.

Right to limitation of processing (Article 18 GDPR)

In some cases, data subjects have the right to request a company to limit the processing of their personal data. For example, in connection with a data subject’s request to have his or her personal data rectified. In such cases, the data subject has the right to request that the company limit the processing until they have investigated whether the personal data is correct or not. Keep in mind that the company must inform the data subject when the limitation ends.

Right to data portability (Article 20 GDPR)

This right means that in some cases, data subjects have the right to have their personal data transferred to another company. For example, if a data subject has an account on a social media service and wants to create an account on another similar service. The requirement for the right to data portability is that the legal basis for the processing is either:

Right to object (Articles 21 GDPR)

This right means that data subjects can object to the processing of their personal data, to the company that processes them. However, this does not always mean that the company has to stop the processing. For example, if the company can show that they have a legitimate interest by carrying out a new legitimate interest assessment, they have the right to continue the processing.

Here are three situations where data subjects have the right to object:

General interest: When the purpose of the processing is the performance of a task carried out for reasons of public interest;
Exercise of official authority: When the processing is carried out in the exercise of official authority;
Legitimate interest: When the processing takes place after a balancing of interests with legitimate interest as a legal basis.

Automated decision-making and profiling (Article 22 GDPR)

A right that data subjects have under the GDPR is not to be subject to automated decisions. In other words, decisions made by a machine without personal contact. An example of an automated decision is when a company decides to deny the granting of a credit loan through an algorithm.

Below are examples of two cases where a company can take automated decisions:

When the purpose is to be able to fulfill a contract; or
When a company obtains the explicit consent of the data subject.

More rights of data subjects under the GDPR

In addition to these above described eight (8) fundamental rights that data subjects have under the GDPR, there are also several rights in the GDPR. Among other things, the right to lodge a complaint with the supervisory authority (Article 77 GDPR), the right to damages (Article 82 GDPR) and the right to withdraw a given consent (Article 7(3) GDPR).

More information about GDPR

Legal bases under the GDPR

There are sig legal bases for lawful processing of personal data under the GDPR. Each individual processing of personal data must be conducted based on a legal basis. Such as consent or performance of a contract with the data subject. If a company does not have a legal bases for a processing, the processing is unlawful and shall not be conducted. It is important to have knowledge about the legal bases, for the processing of personal data to be carried out correctly.