February 19, 2019

February 18, 2019

Subscribe to Latest Legal News and Analysis

Rights of Individuals Under the GDPR

The EU’s General Data Protection Regulation goes into effect on May 25, 2018. GDPR replaces the EU Data Protection Directive. GDPR can apply to US-based businesses even if they do not have offices or employees in the EU. It can also reach activities conducted outside the EU.

The Directive did not regulate US businesses unless the collection or processing occurred within the EU (e.g., if a US-based company had a data center in the EU). Now GDPR clearly has stronger extraterritorial reach than its predecessor.

Businesses collecting and using personal data should know their GDPR obligations. Violators of GDPR face steep penalties. Regulators can fine a company up to 20,000,000 euros or 4% of worldwide annual turnover, whichever is higher.

The GDPR provides enhanced rights for individuals. Below we summarize the general principles companies must follow when interacting with individuals and we identify the specific rights granted to individuals under the GDPR. We also suggest some practical steps to assist your company’s compliance with this portion of the GDPR.

General Principles

  1. Your information and communications with individuals must be concise, transparent, intelligible, accessible and in clear/plain language.

  2. Rights can be exercised free of charge, unless manifestly unfounded/ excessive.

  3. You must respond to requests and provide information promptly and, generally, within one month (exemptions may apply).

Individual Rights

Right of access to personal data. An individual has the right to access personal data held by an organization.

Right of rectification. An individual has the right to request the correction of personal data held by an organization to the extent that it is inaccurate or incomplete.

Right to data portability. An individual has the right (in certain circumstances) to obtain personal data in a format to allow them to transfer it from one organization to another.

Right to withdraw consent. An individual has the right to withdraw consent at any time, and the process to withdraw consent must be as easy as the process to give consent.

Right to object. An individual has the right to object to processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling). This right also applies to direct marketing and processing for purposes of scientific/historical research and statistics.

Right to restrict processing. An individual has the right (in certain circumstances) to “block” or suppress the processing of their personal data.

Right to object to automated decision making (including profiling). An individual has the right (in certain circumstances) to object to automated decisions (including profiling) based upon the processing of personal data and request human involvement.

Right to erasure/to be forgotten. An individual has the right (in certain circumstances) to request the deletion of personal data where there is no compelling reason for its continued processing.

Other rights: An individual has the right to: complain to the data protection regulator; judicial remedy against a controller/ processor; representation (by consumer bodies/watchdogs); and compensation from controller/processor.

Notification of rectification, erasure or restriction. If an individual asks you to erase personal data, restrict processing, or rectify incomplete or inaccurate personal data, you must notify any other organizations who you disclose the individual’s personal data to (unless this is impossible or involves disproportionate effort).

Practical Steps

  1. Review, create and/or update protocols for dealing with individual rights. Ask and answer questions such as: Can we respond to requests within a month? Will we need any assistance from our processors?

  2. Ensure existing and new internal systems (HR, IT, etc.) are designed to give effect to and comply with these rights. Ask and answer questions such as: Do we have the ability to correct data? What is the process if an individual requests a copy of their data?

  3. Review and update your existing communications with individuals. Ask and answer questions such as: Are our public facing policies (e.g., privacy policies) and communications concise, transparent, intelligible, accessible and in clear/plain language?

Copyright © 2019 Womble Bond Dickinson (US) LLP All Rights Reserved.

TRENDING LEGAL ANALYSIS


About this Author

Matthew Harris, Attorney, Womble
Attorney

Matthew is a solicitor who specialises in Commercial Law. He undertakes a broad range of commercial work, with a particular focus on matters relating to information technology, e-commerce, data protection and privacy.

Matthew has previously undertaken a secondment to an international retailer. Whilst on secondment, Matthew supported the internal legal team on a variety of matters and projects, providing assistance on wide range of commercial issues.

+44 (0)2380 20 8146
Orla M. O'Hannaidh, Womble Carlyle, Intellectual Property Attorney, Technology Commercialization Lawyer
Associate

Orla O’Hannaidh is an associate in Womble Carlyle’s Intellectual Property Practice Group and a member of the firm’s IP Transactions Team. Her practice focuses on drafting and reviewing a broad variety of contracts involving the use and commercialization of intellectual property and technology. Orla also practices in the areas of copyright, marketing, sweepstakes and promotions law. Before joining Womble Carlyle, Orla worked for the Irish Department of Foreign Affairs in Washington D.C. and Dublin, Ireland. Orla gained significant experience in government relations and negotiations. Orla also received a Masters in International Relations and served as a summer clerk for Justice Paul Newby of the North Carolina Supreme Court. 

919-484-2339