Users whose personal information is collected and processed have a set of rights allowing them to control their information. It is essential to indicate the existence of these rights and explain where, how and who to contact to exercise them in practical terms.
Why is the exercise of users’ rights important?
Rights can be considered to be a set of means giving data subject real leverage over their data. Rights can be exercised as soon as an organisation has access to or processes someone’s data.
The implementation of simple and effective features and journeys to exercise the rights answers legal obligations while supporting data subjects in these procedures.
What are the rights of data subjects?
GDPR provides data subjects with up to seven rights:
- the right of access allows, among other things, a data subject to know if her data are processed and to obtain a readable copy in an understandable format. It is notably used to check data accuracy;
- the right to rectification allows the data subject to modify, correct or update data concerning them to reduce the spread or use of inaccurate information;
- the right to object allows the data subject to oppose their data being used for a specific purpose;
- the right to erasure allows the data subject to delete their data;
- the right to restriction of processing temporarily stops the use of a person’s data while, for example, evaluating her contestation on the use of her data or her request to exercise a right;
- the right to data portability entitles the data subject to recover some of their data in a machine-readable format, for their own use or to provide them to another organisation;
- the right to human intervention in relation to profiling or a decision solely based on automated processing.
Facilitating access to the exercise of rights
When a data subject wants to exercise a right, they should easily know to whom they should address a claim. Contact information should be easily accessible and located in logical places, for example in the user account, in contextual information, privacy policies, FAQs, etc.
Example
In this example, the data object wants to exercise their right to data portability. They go to their user account to see how to download a copy of their data.
Focus of attention
Possible approach
Guiding the data object in how to exercise their rights
Exercising a right can be an exceptional occurrence in the ordinary user journey of a service. It is thus even more important to guide them properly through a process which can appear intimidating: proposing simple steps to make a request, recalling the utility of rights and their results, providing request templates, etc. to facilitate the procedure.
Exercising a right can be done through different means and formats chosen depending on the right and the context. A request related to rights can be filed in different ways: electronically (form, email, on-line accounts, etc.), paper mail…
Example
On this smartphone application, the data subject wants to know which data is processed by the service. They go to the section of their account designed to exercise their rights.
Focus of attention
Possible approach
Communicating on the status of the request
Throughout the process, it is important to ensure that the data subject is informed about the status of her request. She should be regularly informed about the effective reception of their request or on any decisions taken regarding it, in an accessible format, corresponding to the one used to contact the controller.
Example
The data subject wants to download her data collected when using a sports tracking service. She goes to her user account.
Focus of attention (animated example)
Possible approach
Allowing the data subject to track their request
To provide a data subject with good continuity in the exercise of their right, and should they dispute the decision taken and refer it to a protective authority, it is recommended to allow the data subject to easily track their claim procedure. A system for printing or archiving requests, or downloading exchanges may for instance be set up.
Example
In this example, the data subject has exercised their right to rectification and an email has been sent to them to confirm that the processing of their request is in progress.
Focus of attention
Possible approach
Find out more
If you want to find out more about the exercise of the rights, you can consult the links below:
(fr) Respecting the rights of data subjects cnil.fr
This page groups together essential information on the implementation of rights.
(fr) Rights to control your data cnil.fr
This page groups together all the rights of the GDPR and highlights pages itemising each of them.
(fr) Profiling and automated decision making cnil.fr
This page describes the notion of profiling and automated decision making as defined in the EDPB guidelines.