Exercise of the rights

Users whose personal information is collected and processed have a set of rights allowing them to control their information. It is essential to indicate the existence of these rights and explain where, how and who to contact to exercise them in practical terms.

Why is the exercise of users’ rights important?

Rights can be considered to be a set of means giving data subject real leverage over their data. Rights can be exercised as soon as an organisation has access to or processes someone’s data.

The implementation of simple and effective features and journeys to exercise the rights answers legal obligations while supporting data subjects in these procedures.

What are the rights of data subjects?

GDPR provides data subjects with up to seven rights:

  • the right of access allows, among other things, a data subject to know if her data are processed and to obtain a readable copy in an understandable format. It is notably used to check data accuracy;
  • the right to rectification allows the data subject to modify, correct or update data concerning them to reduce the spread or use of inaccurate information;
  • the right to object allows the data subject to oppose their data being used for a specific purpose;
  • the right to erasure allows the data subject to delete their data;
  • the right to restriction of processing temporarily stops the use of a person’s data while, for example, evaluating her contestation on the use of her data or her request to exercise a right;
  • the right to data portability entitles the data subject to recover some of their data in a machine-readable format, for their own use or to provide them to another organisation;
  • the right to human intervention in relation to profiling or a decision solely based on automated processing.

Facilitating access to the exercise of rights

When a data subject wants to exercise a right, they should easily know to whom they should address a claim. Contact information should be easily accessible and located in logical places, for example in the user account, in contextual information, privacy policies, FAQs, etc.

Example

In this example, the data object wants to exercise their right to data portability. They go to their user account to see how to download a copy of their data.

Focus of attention

Rights - Facilitating - Attention
In this proposal, the user cannot find any information about their rights whereas their profile would appear to be a legitimate place for that. Without any indication, the user will therefore have to search through the whole site for information on their rights and how to exercise them.

Possible approach

Rights - Facilitating - Possible Approach
In this proposal, the user directly finds a link in their profile directing them towards a page dedicated to how to exercise their rights.

Guiding the data object in how to exercise their rights

Exercising a right can be an exceptional occurrence in the ordinary user journey of a service. It is thus even more important to guide them properly through a process which can appear intimidating: proposing simple steps to make a request, recalling the utility of rights and their results, providing request templates, etc. to facilitate the procedure.

Exercising a right can be done through different means and formats chosen depending on the right and the context. A request related to rights can be filed in different ways: electronically (form, email, on-line accounts, etc.), paper mail…

Example

On this smartphone application, the data subject wants to know which data is processed by the service. They go to the section of their account designed to exercise their rights. 

Focus of attention

Rights - Guiding - Attention
In this proposal, the data subject only has an email address without more details on the rights they may exercise. This lack of indication and support could result in the data subject being discouraged in the exercise of her rights.

Possible approach

Rights - Guiding - Possible Approach
In this proposal, the data subject is confronted with information detailing ways to exercise a right of access and is guided through the different possibilities. This approach allows the data subject to understand the situation and exercise their right the best way.

Communicating on the status of the request

Throughout the process, it is important to ensure that the data subject is informed about the status of her request. She should be regularly informed about the effective reception of their request or on any decisions taken regarding it, in an accessible format, corresponding to the one used to contact the controller.

Example

The data subject wants to download her data collected when using a sports tracking service. She goes to her user account. 

Focus of attention (animated example)

Rights - Feedback- Attention
In this proposal, after having clicked on the data downloading link, the data subject is immediately redirected to the application’s home page. No other information or feedback is given on whether their request has been taken into account.

Possible approach

Rights - Unambiguous - Possible Approach
In this proposal, after having clicked on the download link, a graphic sign appears to indicate that their request has been taken into account. Short informative texts allow the data subject to know how they will receive their data and inform them of the procedure to follow if they are not received.

Allowing the data subject to track their request

To provide a data subject with good continuity in the exercise of their right, and should they dispute the decision taken and refer it to a protective authority, it is recommended to allow the data subject to easily track their claim procedure. A system for printing or archiving requests, or downloading exchanges may for instance be set up.

Example

In this example, the data subject has exercised their right to rectification and an email has been sent to them to confirm that the processing of their request is in progress. 

Focus of attention

Rights - Tracking - Attention
In this proposal, even though the service informs the data subject that their request is being processed, no document or information that may be used as supporting evidence is accessible.

Possible approach

Rights - Tracking - Possible Approach
In this proposal, the service indicates in the information email that a copy of the request is available in the data subject’s personal space.

Find out more

If you want to find out more about the exercise of the rights, you can consult the links below:

(fr) Respecting the rights of data subjects cnil.fr

This page groups together essential information on the implementation of rights.

(fr) Rights to control your data cnil.fr

This page groups together all the rights of the GDPR and highlights pages itemising each of them.

(fr) Profiling and automated decision making cnil.fr

This page describes the notion of profiling and automated decision making as defined in the EDPB guidelines.

Données & Design par LINC