{"id":5932,"date":"2019-01-07T12:04:17","date_gmt":"2019-01-07T11:04:17","guid":{"rendered":"https:\/\/vps-6634360a.vps.ovh.net\/exercice-des-droits\/"},"modified":"2022-06-09T12:08:47","modified_gmt":"2022-06-09T10:08:47","slug":"exercising-rights","status":"publish","type":"page","link":"https:\/\/design.cnil.fr\/en\/concepts\/exercising-rights\/","title":{"rendered":"Exercise of the rights"},"content":{"rendered":"\n<div class=\"alignfull header color\">\n<p>Users whose personal information is collected and processed have a set of rights allowing them to <strong>control their information<\/strong>. It is essential to indicate the existence of these rights and explain where, how and who to contact to exercise them in practical terms.<\/p>\n<\/div>\n\n\n\n<div class=\"wrapper principles\">\n  <div class=\"sidebar principles\">\n    <div class=\"theiaStickySidebar\">\n      <div class=\"box\">\n       <div class=\"box-content\">\n\n\n\n<h3 class=\"wp-block-heading\">Summary<\/h3>\n\n\n\n<ul class=\"wp-block-list\"><li><a href=\"#why\">Why is the exercise of users\u2019 rights important?<\/a><\/li><li><a href=\"#rights\">What are the rights of data subjects?<\/a><\/li><li><a href=\"#facilitate\">Facilitating the access<\/a><\/li><li><a href=\"#guide\">Guided<\/a><\/li><li><a href=\"#feedback\">Giving feedback<\/a><\/li><li><a href=\"#track\">Tracking the request<\/a><\/li><li><a href=\"#more\">Find out more<\/a><\/li><\/ul>\n\n\n\n<\/div>\n  <\/div>\n\n\n\n<\/div>\n<\/div><div class=\"content examples\">\n    <div class=\"theiaStickySidebar\">\n      <div class=\"box\">\n\n\n\n<h2 class=\"wp-block-heading\" id=\"why\"><strong>Why is the exercise of users\u2019 rights important?<\/strong> <\/h2>\n\n\n\n<p>Rights can be considered to be <strong>a set of means giving data subject real leverage over their data<\/strong>. Rights can be exercised<strong> as soon as an organisation has access to or processes someone\u2019s data<\/strong>.<\/p>\n\n\n\n<p>The implementation of simple and effective features and journeys to exercise the rights <strong>answers legal obligations<\/strong> <strong>while supporting data subjects in these procedures<\/strong>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"rights\"><strong>What are the rights of data subjects?<\/strong> <\/h2>\n\n\n\n<p>GDPR provides data subjects with up to seven rights: <\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>the right of access<\/strong> allows, among other things, a data subject to know if her data are processed and to obtain a readable copy in an understandable format. It is notably used to check data accuracy; <\/li><li><strong>the right to rectification <\/strong>allows the data subject to modify, correct or update data concerning them to reduce the spread or use of inaccurate information; <\/li><li> <strong>the right to object<\/strong>  allows the data subject to oppose their data being used for a specific purpose;<\/li><li><strong>the right to erasure<\/strong> allows the data subject to delete their data; <\/li><li><strong>the right to restriction of processing<\/strong> temporarily stops the use of a person\u2019s data while, for example, evaluating her contestation on the use of her data or her request to exercise a right;<\/li><li><strong>the right to data portability<\/strong> entitles the data subject to recover some of their data in a machine-readable format, for their own use or to provide them to another organisation;<\/li><li><strong>the right to human intervention<\/strong> in relation to profiling or a decision solely based on automated processing.<\/li><\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"facilitate\"><strong>Facilitating access to the exercise of rights<\/strong><\/h2>\n\n\n\n<p>When a data subject wants to exercise a right, they should <strong>easily know to whom they should address a claim<\/strong>. Contact information should be easily accessible and located in logical places, for example in the user account, in contextual information, privacy policies, FAQs, etc.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><em>Example<\/em><\/h3>\n\n\n\n<p><em>In this example, the data object wants to exercise their right to data portability. They go to their user account to see how to download a copy of their data.<\/em><\/p>\n\n\n\n<div class=\"wp-block-columns has-2-columns block-ex-2col is-layout-flex wp-container-core-columns-is-layout-9d6595d7 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\">\n<h3 class=\"wp-block-heading\">Focus of attention<\/h3>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter\"><img loading=\"lazy\" decoding=\"async\" width=\"375\" height=\"812\" src=\"https:\/\/design.cnil.fr\/wp-content\/uploads\/2019\/06\/Facilitating-Don\u2019t@2x.png\" alt=\"Rights - Facilitating - Attention\" class=\"wp-image-5908\" srcset=\"https:\/\/design.cnil.fr\/wp-content\/uploads\/2019\/06\/Facilitating-Don\u2019t@2x.png 375w, https:\/\/design.cnil.fr\/wp-content\/uploads\/2019\/06\/Facilitating-Don\u2019t@2x-139x300.png 139w\" sizes=\"auto, (max-width: 375px) 100vw, 375px\" \/><figcaption><em>In this proposal, <strong>the user cannot find any information about their rights <\/strong>whereas their profile would appear to be a legitimate place for that. Without any indication, the user will therefore have to search through the whole site for information on their rights and how to exercise them.<\/em><\/figcaption><\/figure><\/div>\n\n\n\n<p><\/p>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\">\n<h3 class=\"wp-block-heading\">Possible approach <\/h3>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter\"><img loading=\"lazy\" decoding=\"async\" width=\"375\" height=\"812\" src=\"https:\/\/design.cnil.fr\/wp-content\/uploads\/2019\/06\/Facilitating-Do@2x.png\" alt=\"Rights - Facilitating - Possible Approach\" class=\"wp-image-5906\" srcset=\"https:\/\/design.cnil.fr\/wp-content\/uploads\/2019\/06\/Facilitating-Do@2x.png 375w, https:\/\/design.cnil.fr\/wp-content\/uploads\/2019\/06\/Facilitating-Do@2x-139x300.png 139w\" sizes=\"auto, (max-width: 375px) 100vw, 375px\" \/><figcaption><em>In this proposal, <strong>the user directly finds a link in their profile<\/strong> directing them towards a page dedicated to how to exercise their rights.<\/em><\/figcaption><\/figure><\/div>\n\n\n\n<p><\/p>\n<\/div>\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"guide\"><strong>Guiding the data object in how to exercise their rights<\/strong><\/h2>\n\n\n\n<p>Exercising a right can be an exceptional occurrence in the ordinary user journey of a service. It is thus even more important to guide them properly through a process which can appear intimidating: <strong>proposing simple steps<\/strong> to make a request, recalling the utility of rights and their results, <strong>providing request templates<\/strong>, etc. to facilitate the procedure.<\/p>\n\n\n\n<p>Exercising a right can <strong>be done through different means and formats<\/strong> chosen depending on the right and the context. A request related to rights can be filed in different ways: electronically (form, email, on-line accounts, etc.), paper mail&#8230;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><em>Example<\/em><\/h3>\n\n\n\n<p><em>On this smartphone application, the data subject wants to know which data is processed by the service. They go to the section of their account designed to exercise their rights.&nbsp; <\/em><\/p>\n\n\n\n<div class=\"wp-block-columns has-2-columns block-ex-2col is-layout-flex wp-container-core-columns-is-layout-9d6595d7 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\">\n<h3 class=\"wp-block-heading\">Focus of attention<\/h3>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter\"><img loading=\"lazy\" decoding=\"async\" width=\"375\" height=\"812\" src=\"https:\/\/design.cnil.fr\/wp-content\/uploads\/2019\/06\/Guiding-Don\u2019t@2x.png\" alt=\"Rights - Guiding - Attention\" class=\"wp-image-5904\" srcset=\"https:\/\/design.cnil.fr\/wp-content\/uploads\/2019\/06\/Guiding-Don\u2019t@2x.png 375w, https:\/\/design.cnil.fr\/wp-content\/uploads\/2019\/06\/Guiding-Don\u2019t@2x-139x300.png 139w\" sizes=\"auto, (max-width: 375px) 100vw, 375px\" \/><figcaption><em>In this proposal, the data subject only has an email address without more details on the rights they may exercise.<strong> This lack of indication and support could result in the data subject being discouraged in the exercise of her rights<\/strong>.<\/em><\/figcaption><\/figure><\/div>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\">\n<h3 class=\"wp-block-heading\">Possible approach<\/h3>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter\"><img loading=\"lazy\" decoding=\"async\" width=\"375\" height=\"812\" src=\"https:\/\/design.cnil.fr\/wp-content\/uploads\/2019\/06\/Guiding-Do@2x.png\" alt=\"Rights - Guiding - Possible Approach\" class=\"wp-image-5902\" srcset=\"https:\/\/design.cnil.fr\/wp-content\/uploads\/2019\/06\/Guiding-Do@2x.png 375w, https:\/\/design.cnil.fr\/wp-content\/uploads\/2019\/06\/Guiding-Do@2x-139x300.png 139w\" sizes=\"auto, (max-width: 375px) 100vw, 375px\" \/><figcaption><em>In this proposal, the data subject is confronted with information detailing ways to exercise a right of access and is guided through the different possibilities. <strong>This approach allows the data subject to understand the situation and exercise their right the best way.<\/strong><\/em><\/figcaption><\/figure><\/div>\n<\/div>\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"feedback\"><strong>Communicating on the status of the request<\/strong><\/h2>\n\n\n\n<p>Throughout the process, it is important to\nensure that the data subject is informed about the status of her request. She\nshould be regularly informed about the effective reception of their request or\non any decisions taken regarding it, in an accessible format, corresponding to\nthe one used to contact the controller.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><em>Example<\/em><\/h3>\n\n\n\n<p><em>The data subject wants to download her data collected when using a sports tracking service. She goes to her user account.&nbsp; <\/em><\/p>\n\n\n\n<div class=\"wp-block-columns has-2-columns block-ex-2col is-layout-flex wp-container-core-columns-is-layout-9d6595d7 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\">\n<h3 class=\"wp-block-heading\">Focus of attention   (animated example) <\/h3>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter\"><img loading=\"lazy\" decoding=\"async\" width=\"375\" height=\"812\" src=\"https:\/\/design.cnil.fr\/wp-content\/uploads\/2019\/06\/2019-06-19-Concepts-Rights-Feedback-Dont.gif\" alt=\"Rights - Feedback- Attention\" class=\"wp-image-5900\"\/><figcaption><em>In this proposal, after having clicked on the data downloading link, the data subject is immediately redirected to the application\u2019s home page. <strong>No other information or feedback is given on whether their request has been taken into account.<\/strong><\/em><\/figcaption><\/figure><\/div>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\">\n<h3 class=\"wp-block-heading\">Possible approach<\/h3>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter\"><img loading=\"lazy\" decoding=\"async\" width=\"375\" height=\"812\" src=\"https:\/\/design.cnil.fr\/wp-content\/uploads\/2019\/06\/2019-06-19-Concepts-Rights-Feedback-Do.gif\" alt=\"Rights - Unambiguous - Possible Approach\" class=\"wp-image-5898\"\/><figcaption><em>In this proposal, after having clicked on the download link, <strong>a graphic sign appears<\/strong> to indicate that their request has been taken into account.<strong> Short informative texts<\/strong> allow the data subject to know how they will receive their data and inform them of the procedure to follow if they are not received.<\/em><\/figcaption><\/figure><\/div>\n<\/div>\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"track\"><strong>Allowing the data subject to track their request<\/strong><\/h2>\n\n\n\n<p>To provide a data subject with good continuity in the exercise of their right, and should they dispute the decision taken and refer it to a protective authority, it is recommended to allow the data subject to<strong> easily track their claim procedure<\/strong>. A system for printing or archiving requests, or downloading exchanges may for instance be set up. <\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><em>Example<\/em><\/h3>\n\n\n\n<p><em>In this example, the data subject has exercised their right to rectification and an email has been sent to them to confirm that the processing of their request is in progress.&nbsp; <\/em><\/p>\n\n\n\n<div class=\"wp-block-columns has-2-columns block-ex-1col is-layout-flex wp-container-core-columns-is-layout-9d6595d7 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\">\n<h3 class=\"wp-block-heading\">Focus of attention<\/h3>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter\"><img loading=\"lazy\" decoding=\"async\" width=\"576\" height=\"360\" src=\"https:\/\/design.cnil.fr\/wp-content\/uploads\/2019\/06\/Tracking-Don\u2019t@2x.png\" alt=\"Rights - Tracking - Attention\" class=\"wp-image-5912\" srcset=\"https:\/\/design.cnil.fr\/wp-content\/uploads\/2019\/06\/Tracking-Don\u2019t@2x.png 576w, https:\/\/design.cnil.fr\/wp-content\/uploads\/2019\/06\/Tracking-Don\u2019t@2x-300x188.png 300w\" sizes=\"auto, (max-width: 576px) 100vw, 576px\" \/><figcaption><em>In this proposal, even though the service informs the data subject that their request is being processed, n<strong>o document or information that may be used as supporting evidence is accessible<\/strong>.<\/em><\/figcaption><\/figure><\/div>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\">\n<h3 class=\"wp-block-heading\">Possible approach<\/h3>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter\"><img loading=\"lazy\" decoding=\"async\" width=\"576\" height=\"360\" src=\"https:\/\/design.cnil.fr\/wp-content\/uploads\/2019\/06\/Tracking-Do@2x.png\" alt=\"Rights - Tracking - Possible Approach\" class=\"wp-image-5910\" srcset=\"https:\/\/design.cnil.fr\/wp-content\/uploads\/2019\/06\/Tracking-Do@2x.png 576w, https:\/\/design.cnil.fr\/wp-content\/uploads\/2019\/06\/Tracking-Do@2x-300x188.png 300w\" sizes=\"auto, (max-width: 576px) 100vw, 576px\" \/><figcaption><em>In this proposal, the service indicates in the information email that <strong>a copy of the request is available in the data subject\u2019s personal space<\/strong>.<\/em><\/figcaption><\/figure><\/div>\n<\/div>\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"more\">Find out more <\/h2>\n\n\n\n<p>If you want to find out more about the exercise of the rights, you can consult the links below:  <\/p>\n\n\n\n<h3 class=\"wp-block-heading\">(fr) Respecting the rights of data subjects <a rel=\"noreferrer noopener\" aria-label=\" (s\u2019ouvre dans un nouvel onglet)\" href=\"https:\/\/www.cnil.fr\/fr\/respecter-les-droits-des-personnes\" target=\"_blank\">cnil.fr<\/a><\/h3>\n\n\n\n<p>This page groups together essential information on the implementation of rights.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">(fr) Rights to control your data <a rel=\"noreferrer noopener\" aria-label=\" (s\u2019ouvre dans un nouvel onglet)\" href=\"https:\/\/www.cnil.fr\/fr\/les-droits-pour-maitriser-vos-donnees-personnelles\" target=\"_blank\">cnil.fr<\/a><\/h3>\n\n\n\n<p>This page groups together all the rights of the GDPR and highlights pages itemising each of them.<br><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">(fr) Profiling and automated decision making <a href=\"https:\/\/www.cnil.fr\/fr\/profilage-et-decision-entierement-automatisee\">cnil.fr<\/a> <\/h3>\n\n\n\n<p>This page describes the notion of profiling and automated decision making as defined in the EDPB guidelines.<\/p>\n\n\n\n<\/div>\n  <\/div>\n <\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Users whose personal information is collected and processed have a set of rights allowing them to control their information. It is essential to indicate the existence of these rights and explain where, how and who to contact to exercise them in practical terms. Summary Why is the exercise of users\u2019 rights important? What are the &hellip; <\/p>\n<p class=\"link-more\"><a href=\"https:\/\/design.cnil.fr\/en\/concepts\/exercising-rights\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Exercise of the rights&#8221;<\/span><\/a><\/p>\n","protected":false},"author":7,"featured_media":0,"parent":5954,"menu_order":16,"comment_status":"closed","ping_status":"closed","template":"template-parts\/page-principles-subpage.php","meta":{"inline_featured_image":false,"footnotes":""},"class_list":["post-5932","page","type-page","status-publish","hentry","entry"],"_links":{"self":[{"href":"https:\/\/design.cnil.fr\/en\/wp-json\/wp\/v2\/pages\/5932","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/design.cnil.fr\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/design.cnil.fr\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/design.cnil.fr\/en\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/design.cnil.fr\/en\/wp-json\/wp\/v2\/comments?post=5932"}],"version-history":[{"count":14,"href":"https:\/\/design.cnil.fr\/en\/wp-json\/wp\/v2\/pages\/5932\/revisions"}],"predecessor-version":[{"id":6782,"href":"https:\/\/design.cnil.fr\/en\/wp-json\/wp\/v2\/pages\/5932\/revisions\/6782"}],"up":[{"embeddable":true,"href":"https:\/\/design.cnil.fr\/en\/wp-json\/wp\/v2\/pages\/5954"}],"wp:attachment":[{"href":"https:\/\/design.cnil.fr\/en\/wp-json\/wp\/v2\/media?parent=5932"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}