ToolsEmail Marketing | Personalize and Customize Your Messages, Contact Relationship Management Software
5 min read
5 min read
In the past few weeks we have covered three rights individuals will possess under GDPR: the right to be informed, the right to access, and the right to rectification. This week in the GDPR Overview series, we will be covering three more rights: the right to erasure, the right to restrict processing, and the right to object to processing.
First of all, let's find out what these rights actually mean.
The right to erasure is also commonly known as the right to be forgotten. Essentially, it gives individuals the right to ask (in specific situations only) that you erase all their personal data you have stored on them, thus enabling them to be "forgotten."
The right to restrict processing gives individuals some control over how their personal information gets used by your organization. Organizations are permitted to process and store this personal data, however, they are not permitted to use it.
The right to object to processing means that individuals can refuse to have their personal data processed by your organization under certain circumstances.
The right to be forgotten, as stated above, only applies in certain situations. This means individuals cannot simply request the erasure of their personal data for no apparent reason and requires them to have a legitimate reason for wanting to be forgotten.
However, there are quite a few legitimate reasons an individual can provide when submitting a request for erasure. For example, if your organization no longer requires the personal data that was initially collected from the individual, then said individual can request that this information be securely deleted as there is no legitimate purpose for which this data must be retained.
Other potential situations where an individual can legitimately request their data be deleted can include (among others):
Upon the receipt of an erasure request, under GDPR your organization must respond within a month. However, if the request is long or complex, or if you receive multiple requests from the same individual, you are able to extend the deadline an additional two months, provided you let the requester know within the original month.
There are certain cases in which the right to erasure does not apply. For example, the right of erasure does not apply if the data is being processed in order to exercise the right of freedom of expression and information.
A couple of other situations where the right of erasure would not apply include:
Also, in the case of special category data (sensitive data such as genetic or some biometric data), the right of erasure will not apply if the processing of that data is necessary for public health purposes or the management of health or social care services. However, this only applies if the data is being processed under the responsibility of a health professional (or someone bound by the legal obligation of confidentiality).
Individuals can request that their data be restricted under certain conditions. Under GDPR, when data processing is restricted or suppressed, organizations are permitted to store the individual's personal data but they cannot use it.
Individuals must have a particular reason for wanting their data restricted. They cannot ask that you restrict the use of their data simply "because." For example, the individual may want their data restricted because they contest the content of the data the organization has collected or stored.
Individuals have the right to ask for an organization to restrict the processing of their personal data when the data has been processed illegally; when the data is no longer required by the organization but may still be needed to substantiate a legal claim; or if the individual has submitted a request for rectification that has yet to be fulfilled, among other kinds of requests.
When a request comes in from an individual (either verbal or in writing) to restrict the processing of their data, an organization has one month to comply with the request but can extend this for two more months if the request is lengthy or complex. The organization must inform the individual within the original month with regard to the extension requirement.
In regard to restricting the processing of personal data, in many cases, this will only be a temporary act necessary while a rectification, erasure, or objection request is being considered by your organization. Often data restriction serves as an alternative to full data erasure, especially in the case where the data may not be needed by the organization anymore, but it should still be stored in case it is needed in the defense of a legal claim. Before a restriction is lifted, however, it is imperative that you inform the individual before doing so and let them know they have the right to lodge a complaint to a supervisory authority and can seek judicial remedies in the event they are not satisfied with your decision.
The right to object to having personal information processed is a little more cut and dry compared to some of the other rights we have covered. When a legitimate objection request is received, an organization has very little leeway under which they can refuse the request.
There are several cases in which an individual can object outright to having their personal data processed by an organization. These include:
An organization is compelled to comply with an objection request made on any of these grounds except in the following circumstances:
GDPR grants individuals a lot more power to determine how and if their personal data is used by an organization who collects it. As has been mentioned previously during this series, this ensures organizations are held accountable for the ways they collect, process, and store this data so as to greater protect the privacy of individuals' data and prevent it from being mishandled and misused.
That's it for this week's edition of the GDPR Overview blog series. Next week, we will take a look at the last two rights that have been granted to individuals under GDPR: the right to data portability and rights related to automated decision-making.