General Data Protection Regulation: Individuals Rights

19th October 2017

What is personal data? Personal data is any information pertaining to a natural person who can be identified, directly or indirectly. For example, personal data is an identifier, a name, a photograph, a social security number, an internal registration number, a registration plate, a postal address, an e-mail address, a telephone number, location data, an identifier online (IP address for example), a voice recording, etc.

Persons whose data are collected have the right to request the transfer of data concerning them (or “right to data portability”) to another service provider. The persons concerned have the right to get a hold of private information concerning them which they have provided to a data warehouse in a prescribed, widely used machine-readable structure as well as have the right to transmit this information to an additional data warehouse and the data controller of the processing to which personal data have been communicated shall not be an obstacle. This is only mandatory in certain cases, but it is strongly recommended to name it systematically since any company or administration must be able at all times to be accountable to the supervisory authority for the state of its processing of data. In general, the data subject has an extensive and facilitated right to access personal data concerning him / her and the text reaffirms the essential principles of the protection of privacy:

Citizens will now be able to claim the misuse of their data with a single data protection authority rather than having to do so with the data holding company. Attention, if it is possible by cross-checking several information (age, sex, diplomas, city, etc.) or by the use of various technical machine learning artificial intelligence means, to target a person (“singling out”), the data is always considered as personal. The General Data Protection Regulation (EU GDPR) thus develops considerably the individual’s rights and the rights granted to a person whose data is collected for machine learning software.

This article shall first present a general picture of the intentions of the General Data Protection Regulation text before presenting the main innovations of the General Data Protection Regulation. This article shall expose the main novelties of the General Data Protection Regulation in a form comprehensible to the uninitiated. Individuals may also participate in class actions through representative organizations, which, if permitted by national law, may also act on their own initiative.

The stated aim of the EU GDPR text is to strengthen the control of European citizens on the use of their personal data, while simplifying, by unifying, the regulation for companies. The EU GDPR regulations, in turn, make mandatory in some cases the appointment of a Data Protection Officer (DPO) for private or public bodies whose core activities require regular and systematic monitoring on a large scale of the persons concerned, or where the processing is carried out by a public authority or a public body (EU GDPR: Article 37), with the exception of the courts. No difference is made between confidential, public, professional or non-professional information. The notion of personal data is therefore very broad.

Data processors will therefore have to invest considerably to upgrade the new regulations, especially since all the companies in the world dealing with the data of European citizens are affected by the regulations. Thus, with the rights granted to a person under the regulations, (right of rectification / deletion, opposition to treatment subject to legitimate reasons, right of access / communication to the data), there are now new rights: right to portability of data, right to forgetfulness, right to object, right to a limitation of treatment, etc.).

Transfers of personal data to foreign countries are also now subject to verification of the guarantees offered by the laws of that country to maintain an equivalent level of data security. Failing this, special warranty clauses must be provided for in contracts, in addition to the possibility of using codes of conduct, certifications and other labels. The data collectors have the right to rectification and deletion of data for these reasons: the data have been unlawfully processed, the data is no longer necessary, the data is subject to the processing of the data for prospecting purposes, the data has to be deleted in order to comply with a legal obligation, the data subject withdraws his consent, or the data have been collected in the context of a service to minors.

Companies are encouraged to prioritize the use of pseudonyms before and during the processing of data to ensure protection of an individual’s rights, and function with a concept of taking into account an individual’s rights at the design stage. Regulations also provide that, ideally, the country of a data’s destination should be listed by the European Commission. In this case, it will not be necessary to obtain an authorization from the national authority of the country of origin of the data. Pseudonymisation is also to ensure that the data is kept in a form that does not allow the direct identification of an individual without the aid of additional information.1

Corey is an all round tech guru who has worked at some major blue chip companies. He started Poweronemedia to share his views and knowledge with the rest of the blogging world.