A first glimpse:
Rights of the
Data Subject
under Chapter III of
the new Regulation
Ute Kallenberger
DPO meeting
eu-LISA, Tallinn, 1 June 2017
“Data subject”
2
• any information relating to an
identified or identifiable natural
person (data subject);
• identified, directly or
indirectly, in particular by
identifier such as a name, an
identification number, location
data, an online identifier or to...
factors specific to the physical,
physiological, genetic, mental,
economic, cultural or social
identity...
Art. 3(1) new Reg. + recitals 6+11-13
Overview
General rights: lawfulness (Art. 5), fairness,
transparency, accountability etc. (Art. 4)
Specific rights to
3
•
•
•
•
•
•
•
•
•
transparency and modalities (Arts. 14-16);
information (Arts. 15/16);
access (Art. 17);
rectification (Art. 18)
erasure (‘right to be forgotten‘) (Art. 19)
restrict (Art. 20)
data portability (Art. 22)
object (Art. 23)
not be subject to automated individual decisionmaking, including profiling (Art. 24)
Common modalities (Art. 14)
Applicable to Articles 15/16, 17 to 24 and
38
CLEAR
concise, transparent, intelligible
and easily accessible form,
using clear and plain language
Free of charge
4
Common modalities (Art. 14)
Applicable to Articles 17 to 24
without undue delay / one month
(two further months if necessary)
Identity of DS: reasonable doubts?
Additional info (-) = Art. 12(2)
(refusal)
5
Articles 15/16: Right to information
When
What
and...
• Art. 15: at the time when PD are obtained
• Art. 16: reasonable period /1 month, but...
• Arts. 15/16 = “shopping list”
• DPO, 3rd country...
• further processing: prior info
• Recital 28: standardised icons
...unless the data subject already has the information or...
6
Article 17 - Right of access
What
• processing? Y/N
• access to certain types of information
• Art. 17 = “shopping list”; 3rd country
• copy
Format • commonly used electronic form
and...
7
• no copy if adversely affects rights and
freedoms of others
Article 18 - Right to rectification
• inaccurate: rectification
• incomplete: completion
What (supplementary statement)
When
data quality
• without undue delay
• notification recipients (Art.21)
...and unless impossible / disprop. effort
8
Article 19 - Right to erasure
(‘right to be forgotten’)
• right to erasure without undue delay
What • obligation of controller
• technology / cost / reasonable steps:
public • inform controller links/copies/replica
• (-) if necessary for freedom of
expression, legal obligation, public
except
health, archiving, legal claims
9
?
CJEU case law: C-131/12
10
Right to object v. right to erasure
object
scope
grounds
11
erase
specific
processing
operation
personal data
data subject
particular
situation
data subject
purpose (-)
consent (-)
lawful (-)...
Article 23 – Right to object
• object, incl. to profiling (Art. 5(1)(a))
What • unless demonstrated exceptions
• particular situation data subject
When • at any time
• research/statistics: public
and... interest?
12
Article 20 – Restriction of processing
•
•
When •
•
accuracy contested by data subject
processing unlawful
exercise/defence legal claims
verification legitimate grounds controller
• technical means (Recital 33)
• notification recipients (Art.21) unless
How
impossible/ disproportionate effort
• storage OK;
What • other processing: only exceptionally
13
Article 22 - data portability
• based on consent/contract
When • by automated means
• R to receive data + transmit
• R to transmission between
What
controllers if technically feasible
C1
C2
• in a structured, commonly used
How
and machine-readable format
14
Article 24 – Right not to be subject to
automated individual decision-making
No
automated
processing
incl.
profiling
except...
15
necessary
for contract
EU law +
safeguards
explicit
consent
(Recital 14)
but still:
• safeguards/human intervention
• no special categories, unless...
Article 25(1) - Restrictions to data
subject rights
criminal offences / penalties / public sec.
other general public interests EU/MS
judicial independence / proceedings
breaches of ethics for regulated. prof.
protect DS or rights & freedoms of others
16
enforcement civil law claims
+ monitor
+ inspect
+ regulate
nat’l security / public security / defence MSs
Article 25 - Restrictions to data
subject rights
criminal offences / penalties / public sec.
other general public interests EU/MS
judicial independence / proceedings
+ monitor
+ inspect
+ regulate
nat’l security / public security / defence MSs
+ Article 25(2)
breaches of ethics for regulated. prof.
protect DS or rights & freedoms of others
enforcement civil law claims
17
research /
statistics
• EU law may Arts.17+18+20+23
(-), if 13 (+) and necessary
archiving
public int.
• EU law may Arts.17+18+20-23
(-): if 13 (+) and necessary
Article 25 - Restrictions to data
subject rights
criminal offences / penalties / public sec.
other general public interests EU/MS
judicial independence / proceedings
breaches of ethics for regulated. prof.
protect DS or rights & freedoms of others
enforcement civil law claims
18
+ monitor
+ inspect
+ regulate
nat’l security / public security / defence MSs
+ Article 25(2)
Thank you for your attention!
For more information:
www.edps.europa.eu
[email protected]
@EU_EDPS
EDPS
European Data Protection Supervisor
2009: Treaty of Lisbon
 Everyone has the right to the
protection of personal data
concerning them
Data protection
principles
Art. 16 TFEU
 EP + Council shall lay down the
rules on processing of personal
data by EU administration +
Member States for activities under
Union law, and the rules relating to
the free movement of such data.
 Compliance with these rules
shall be subject to the control
of independent authorities.
20
General Data Protection Reform
 Everyone has the right to the
protection of personal data
Data protection
principles
Art. 16 TFEU
+ GDPR
21
 Fairness / lawfulness
 Consent / legal basis
 Information, access, rectification,
„right to be forgotten“
 Third country transfers
 Privacy by Default / Design
 Data portability
 subject to the control of
independent authorities
 Sanctions
 Coherence mechanism