Carlotta Rigotti, Andrés Chomczyk Penedo, Alessandro Ortalda, Paul De Hert (VUB)
Acknowledgements: The authors thankfully acknowledge the review and suggestions by Rosario Duaso Cales and Saverio Carusso
This part of The Guidelines has been reviewed and validated by Willem Debeuckelaere, former President of the Commission for the Protection of Privacy, Belgium and Deputy Chair of the EDPB
Chapter III of the GDPR provides for a set of rights that the data subjects can exercise to safeguard their personal data. Although each right has specific details and issues that could affect and be affected by ICT research, they all share some general features concerning their transparent information, communication, and modalities of exercise (Article 12 GDPR). In this respect, before jumping into the analysis of each specific right (Article 13-22 GDPR), it is appropriate to briefly mention some issues that each researcher and research institution should take into consideration when complying with the exercise of one of the data subject’s rights.
Article 12.1 GDPR begins by providing how information must be given to the data subjects, so that they can exercise their rights effectively. In brief, the controller must provide information that is correct and comprehensive, thereby avoiding unnecessary information. Additionally, the language used must be understandable to the average data subject concerned and provided in writing (unless the data subject requests otherwise). In this regard, more details will be provided in Section 6.1.
When it comes to the time frame, the controller must provide information on action taken on a request to exercise the data subject’s right without undue or excessive delay and, in any case, within one month after receiving the request, on grounds of Article 12.3 GDPR. This span can be extended by two further months, when necessary and on the condition that the controller informs the data subject of the extension and justifies it within one month of the receipt of the request.
Article 12.5 GDPR enables the controller to refuse a data subject’s request, if the latter is manifestly unfounded or excessive. In this respect, some examples would be: the data subjects have no intention to exercise their rights (and require, for instance, benefits in exchange for the withdrawal of the request), seek to harass the controller, submit identical requests in the same timeframe, and so on. Simultaneously, Article 12.5 GDPR also lays down that the exercise of each data subject’s right must be free of charge, unless the controller is able to prove that the request was manifestly unfounded or excessive. In this case, the controller can charge reasonable fee, considering the administrative cost of the procedure.
Where the controller has reasonable doubts concerning the identity of the individual making a request, the controller may request the provision of additional information in order to confirm the identity of the data subject, on grounds of Article 12.6 GDPR.
In any case, it is important to note that this part of the Guidelinesjust provides a brief overview of the data subject’s rights included in Chapter III of the GDPR. Nevertheless, as these rights simultaneously impose a reciprocal obligation for the controller and the processor, Chapter IV of the GDPR regulating obligations on the controller and the processor also attribute further rights to the data subject.
More generally, data subject’s rights can be found all over the GDPR. The basic principles enshrined in Chapter II, Articles 5-10 (see the section “Principles” in the General Part of these Guidelines), for instance, likewise provide additional protection for the data subject. The reason behind this widespread safeguard lies in one of the rationales of the GDPR, that is to say, the need to guarantee a consistent and high level of protection of natural persons in the digital era, where continuous processing and cross-border flows of personal data are the order of the day.
For the sake of completeness, the reader should thus be aware that the GDPR includes, inter alia, the following data subject’s rights:
- The right to withdraw consent (Article 7.3 GDPR); the data subjects shall have the right to withdraw their consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal;
- The right to lodge a complaint with a supervisory authority (Article 78 GDPR); namely, data subjects can lodge requests and/or complaints to the competent supervisory authority, if they believe that the processing of their personal data has not been carried out in accordance with the law;
- The right to an effective judicial remedy (Article 79 GDPR); namely, the data subjects can bring a complaint before a court;
- The right to compensation (Article 82 GDPR); namely, the data subjects can claim compensation for any damage suffered due to the processing of personal data in breach of the GDPR.
The Exercise of the Data Subject’s Rights: Transparency, Communication and Modalities:
☐ The provided information must be:
☐ Correct and comprehensive, thereby avoiding the unnecessary ones;
☐ Understandable to the average data subject concerned;
☐ Easily accessible, be it in writing or by any other means;
☐ In a language that the specific data subjectquite masters.
☐ The information must be provided:
☐ Without undue or excessive delay and, in any case, within one month after the data subject’s request;
☐ Within two months after the data subject’s request, when necessary and upon communication and justification within one month after the data subject’s request;
☐ The data subject’s request can be refused, whenever it is:
☐ Manifestly unfounded;
☐ The exercise of each data subject’s right must be free of charge.If the request is manifestly unfounded or excessive, a reasonable fee can be charged.
☐ Additional information can be requested to confirm the data subject’s identity.
1As shown by Ducato, indeed, processing for research purposes enjoys a favourable regime within the GDPR, as it seeks to balance amongst the data subject’s rights, the freedom to conduct a business and the legitimate expectations of society for an increase of knowledge. On such premises, Article 89 GDPR allows to derogate from Articles 14,15, 16, 18 and 21 GDPR, on the sole condition that adequate safeguards are provided. Particularly, the provision requires the use of technical and organizational measures to fulfil data minimization, as well as anonymisation and pseudonymisation techniques. In R. Ducato, ‘Data Protection, Scientific Research and the Role of Information’, Computer Law & Security Review, 2020, Vol. 37, pp. 4-5 ↑
2For further detail, see, for instance: Fundamental Rights Agency (ed.), Handbook on European Data Protection Law, Luxembourg: Publications Office of the European Union, 2018, pp. 236-248 ↑