When do companies need to provide this information?
When companies collect the personal data directly from the data subject, they must provide them with the information at the time of the data collection. On the other hand, when they obtain personal data from a different source than the data subject, they need to provide the information:
- within a reasonable period of obtaining the personal data, but no later than one month
- if you use the data to communicate with the data subject, at the latest at the time of the first communication to the data subject
- if you intend to disclose the data to someone else, at the latest when you disclose the personal data
How should businesses communicate the information?
Businesses must communicate the information in a concise, unambiguous, and intelligible form, using clear and plain language. Furthermore, the information should be easily accessible.
If companies intend to process the personal data for other purposes than the ones initially specified, they must update the information and notify the data subjects of the changes.
2. Right of access
Data subjects have the right to access and get a copy of the personal data that companies hold about them. Accordingly, companies must provide individuals with:
a copy of their personal data undergoing processing and
information regarding the processing (which is roughly the same as the information described in the table above)
This helps the data subjects understand how and why businesses process their personal data and verify whether the processing is legal.
Organizations should provide the data subject with a copy of the personal data and additional information as soon as possible and no later than one month from the receipt of the request. For complex requests, companies can extend the time limit by two months.
It is important to note that the copy of the personal data and the supplementary information should be provided free of charge and in an accessible format. Moreover, companies should send such information via secure channels (e.g., apps and systems that employ encryption).
3. Right to data portability
Data subjects have the right to obtain the personal data they have provided to a business in an interoperable, structured, commonly used, and machine-readable format. According to the right to data portability, data subjects can also request companies to transmit their personal data to other controllers (e.g., other companies). However, this right only applies when the legal basis for the data processing is consent or fulfilment of a contract.
Companies must comply with the data subject’s request within a month of receiving the request. Moreover, they must ensure that the data is transmitted via secure channels.
4. Right to rectification
Data subjects have the right to have their personal data rectified or completed in the case that the data companies hold about them is inaccurate or incomplete.
If they receive a rectification request, companies need to check the accuracy of the data they hold on the individual and take measures to rectify or complete it. This should be done as soon as possible and no later than one month from receiving the request.
5. Right to restrict processing
Under the EU’s GDPR, data subjects have the right to request the restriction of the processing of their personal data in the following cases:
- the data subject contests the accuracy of their personal data, and the company is checking the accuracy of the data
- the data processing was unlawful, and the data subject is opposing the erasure of the personal data and requests restriction of processing instead
- the data is no longer necessary, but the data subject needs the company to hold it in order to establish, exercise, or defend a legal claim
- the data subject objected to the data processing, and the company is determining whether its legitimate interest overrides those of the data subject
When data subjects exercise their right to restrict processing, companies are still allowed to store their personal data. they are prohibited from performing any other operation on the data.
Timewise, companies have one month to respond to restriction of processing requests.
6. Right to erasure (right to be forgotten)
The EU’s GDPR gives individuals the right to erasure, also known as the right to be forgotten. Therefore, if an individual asks the company to erase all the personal data it holds about them, the company has to comply with the request within one month of receiving it.
However, there are a few exceptions. These include cases where the data processing is necessary:
- to exercise the right of freedom of expression and information
- to meet a legal obligation
- to carry out a task in the public interest
- for archiving purposes, where erasure will make it impossible to achieve the objectives of that processing
- for the establishment, exercise, or defence of legal claims
For example, anti-money laundering laws require obliged entities to store KYC documents for a specific period of time after the end of the business relationship. In such cases, the right to erasure cannot be exercised until the retention period required by the law has expired.
7. Right to not be subject to a decision based solely on automated processing, including profiling, that has legal or similarly significant effects on them
Data subjects have the right not to be subject to decisions made solely by automated means (including profiling) that have legal or similarly significant effects on them. An example could be the automatic rejection of an online loan application (without any human intervention).
However, there are a few exceptions. A company can carry out solely automated decision-making with legal or similarly significant effects in the following cases:
- if the decision is necessary for entering into or fulfilling a contract between the company and the data subject
- if the decision is legally authorized (for example, to prevent fraud or money laundering)
- if the data subject gave their consent
In such cases, companies must also implement appropriate measures to protect the individual’s rights and freedoms and legitimate interests, such as:
- the right to obtain human intervention
- the right to express their point of view
- the right to challenge the decision
- the right to obtain a clear explanation of the decision
- the right to receive specific information about the decision-making process and its potential consequences for the individual
Additionally, companies must also:
use appropriate mathematical or statistical procedures
implement measures to minimize the risk of errors
ensure the security of the personal data
prevent discriminatory effects
8. Right to object
Data subjects have the right to object to personal data processing for direct marketing purposes, including profiling in connection to direct marketing. Once the company receives the request, it must stop processing the person’s data within one month.
Furthermore, data subjects can also object to the processing when the legal basis for the data processing is one of the following:
- the performance of a task carried out in the public interest
- the exercise of official authority
- legitimate interest
In such situations, the data subjects must explain why they disagree with the data processing. Companies can, however, deny the request if they can demonstrate that:
- their legitimate interest overrides the interests of the data subjects
- the data processing is necessary for the establishment, exercise, or defense of legal claims
How can the data subjects exercise their rights?
Data subjects should submit a request to the company that is processing their personal data. The request can be either verbal or in writing.
What if the data controller doesn’t intend to comply with a request?
If the data controller doesn’t intend to comply with a request, they must provide reasons for the rejection of the request. Moreover, they must inform the data subject who made the request of the possibility of filing a complaint with a supervisory authority.
How do I submit a request to Penneo to exercise my rights?
Penneo customers can submit requests by contacting our Data Protection Officer (DPO). The DPO will perform the necessary actions to comply with the request. Penneo will usually fulfill the request within a week and notify the customer as soon as the request is resolved.
If you're looking to learn more, we have a few suggestions for you
Get documents signed faster. Collect the information you need and manage your document workflows in an easy and compliant manner.
Automate client onboarding and AML compliance. Perform risk assessments and collect client documentation in a safe and efficient way.