Roles in GDPR
Data Subjects in GDPR
When it is possible to link any information, directly or indirectly, to a person who is alive, it is considered as personal data under the GDPR. For example, a name, social security number, home address, IP address, phone number or similar.
Types of Personal data
The more important the personal data is, the higher the security requirements. There are four groups of privacy-sensitive personal data, one of which is sensitive personal data. Privacy-sensitive personal data must be processed with a higher level of security than, for example, “ordinary personal data, such as a name. Please note that GDPR does not apply to personal data of deceased persons.
Different Roles in GDPR
The natural person whose personal data is being processed.
The organisation that determines the means and purpose of the processing of personal data is the data controller. For example, a limited liability company. It is therefore not a specific individual at the company, unless it is a sole trader and he or she is the data controller.
When a company processes personal data on behalf of a controller in accordance with its instructions, the processing takes place in the role of processor . For example, an accounting firm that processes personal data belonging to their customers, when the firm carries out the accounting for the customers.
Some companies need to have a data protection officer (DPO). It is a person who works to check that the company complies with the GDPR and helps with, for example, advice when conducting an impact assessment. Data subjects and employees of the company have the right to contact the data protection officer for questions regarding the processing of their personal data. Companies that are not required to have a data protection officer may choose to appoint a data protection officer on a voluntary basis.
Data subjects have a number of fundamental rights under the GDPR
According to the GDPR, data subjects have a number of rights that companies must be able to fulfil. Therefore, companies need, among other things, to establish routines in order to do so. When a data subject requests that a right be granted, this must be done within one month. However, the company may extend the time limit for a maximum of two months further in certain exceptional cases. Below is a summary of the most fundamental rights data subjects have under the GDPR.
Rights in GDPR
Right of access (Art. 15 GDPR)
A data subject may want to know if a company is processing their personal data or not. In such cases, the data subject may request access to the processed personal data relating to him or her. In some cases, however, the data subject is not entitled to receive the original documents. For example, if it may result in a disadvantage for another data subject.
Right to information (Articles 12, 13 and 14 GDPR)
When a company processes personal data, the data subjects shall be informed about the processing. Among other things, what the purpose of the processing is, how long the processing takes place, if personal data is transferred to a third country, etc. In addition, data subjects must be informed in the event of certain types of personal data breaches affecting them and their personal data.
Right to rectification (Article 16 GDPR)
If a company processes personal data that is incorrect or incomplete, they must be corrected or supplemented. This applies both if a data subject requests it or if the company itself discovers it. However, in some cases, a data subject may be wrong when they consider the personal data to be incorrect. Therefore, the company should first check whether they are really wrong or not. Please note that the company must inform the recipients of the personal data that is the subject of the rectification, provided that it is not impossible or too difficult (burdensome effort).
Right to erasure (Article 17 GDPR)
Companies must delete or anonymize personal data on certain types of occasions. For example, if the personal data is no longer necessary to process for the purpose for which it was collected. The same applies if a data subject requests the erasure of personal data. However, companies may need to process certain personal data due to, for example, other laws. The erasure of personal data shall also take place when, for example, a data subject withdraws their consent for the processing.
Right to restriction of processing (Article 18 GDPR)
If a data subject requests to have their incorrect personal data rectified, they may also ask the company to restrict processing during the investigation until the rectification is completed. When the restriction expires, the data subjects shall be informed thereof by the company.
Right to data portability (Art. 20 GDPR)
If a company processes the data subject's personal data based on the legal basis of consent or contract, the data subject has the right to receive them in a structured, machine-readable format. In addition, the data subject has the right to have them transferred to another controller, where technically feasible. The purpose of the provision is to make it easy for individuals to switch between competing service providers.
Right to object (Art. 21 GDPR)
If a company processes personal data to perform a task that is in the public interest and this is done after a balance of interests or in the exercise of public authority, the data subjects have the right to object to the processing. For example, if a company wants to send out emails with advertising after they have made a balance of interests and concluded that they have a legitimate interest in the processing, the data subjects can request that the company cease. In other words, companies must stop direct marketing to people who have requested it.
Automated decisions (Art. 22 GDPR)
Data subjects have the right not to be subject to decisions based solely on automated processing, including profiling, if the decision significantly affects the data subject. Exceptions apply if the decision is necessary for a contract or is required by law. In such cases, the data subject has the right to request human review of the decision. In some cases, however, companies are allowed to make decisions based on automated decision-making. For example, if the data subject gives their explicit consent or if it is necessary for the performance/conclusion of a contract.
Identify data subjects
In order to fulfil the right requested by a data subject, the company first needs to identify the data subject making the request. If the company is unable to identify the data subject but still deletes personal data on request, and the latter turns out to be the wrong person who requested the deletion, it is a personal data breach. This is something that companies should prevent through technical and organizational security measures. Please note, however, that the identification and approach must be proportionate. For example, requesting a passport copy may be disproportionate if there are other less privacy-sensitive ways to identify a person.
Deadline for replying to a request from a data subject to have a right granted
When a data subject requests that a right be granted, the company shall comply with the request within 1 month of receipt of the request. However, it is possible in some cases to extend the time limit by a further two months. It is then important to inform the data subject of the extension and the reasons for the decision. An example where it may be permissible to extend the time limit is if a company receives an unusually large number of complex requests at the same time.
Processing of personal data for public security purposes
GDPR does not apply when authorities carry out a processing of personal data for the prevention, investigation, detection or prosecution of criminal offences. The same applies if an authority enforces legal sanctions. For example, if a person is convicted of a crime in court and is sentenced to imprisonment. In such cases, the prison must process the personal data of the convicted person.
A company's corporate identity number is usually not an individual's personal data
In most cases, a company’s corporate registration number is not personal data. On the other hand, it might be. For example, it is personal data if it is a sole proprietorship where the corporate identity number is the same as the owner’s personal identity number. In addition, info@company.com is not personal data.
Data subjects can receive compensation for infringements of GDPR
If an organization violates the GDPR, it is possible for a data subject to receive damages in some cases. However, this is not something that a supervisory authority demands in its supervision or in its decisions. Instead, the data subject needs to bring a civil action against the company in its own separate legal process. If a supervisory authority issues a fine to a company that has violated the GDPR, it is an amount that is paid to the state, not to the data subjects concerned. Please note, however, that it may be beneficial in a civil case if the company has received a fine for infringement of the GDPR by the supervisory authority.
Data subjects may be entitled to damages in case of fear of possible misuse of personal data in the future
After data subjects who had been affected by a cyberattack against the Bulgarian Tax Agency, some of them chose to sue the Bulgarian tax authority and claim damages. They feared that the personal data could be misused in the future. In other words, the data subjects claimed damages for the non-material damage caused by the personal data breach. The case went all the way up to the Supreme Administrative Court of Bulgaria, which requested a preliminary ruling from the Court of Justice of the European Union on liability. The CJEU stated that data subjects may be entitled to damages if there is a well-founded fear that the personal data may be misused in the future.
Data processors may also be liable for damages
If a processor processes personal data in violation of the instructions given by the controller and violates the GDPR, the processor may be liable to the data subject. This is stated in Article 82 of the GDPR.
More information about roles
Regulatory authorities
All countries in the EU have a national supervisory authority that handles matters regarding the GDPR. Among other things, they have the power to issue fines to companies that violate the GDPR. In addition, they publish publications and other information about GDPR that may be useful to know. A data subject wishing to lodge a complaint regarding the processing of their personal data can always be done to the national supervisory authority of their country of residence if it is in the EU, even if it is not the lead supervisory authority of the company. For example, if it is a large international company. If the supervisory authority considers that another national supervisory authority is more appropriate or responsible, they may refer the matter to them.