GDPR Rights & Enforcement
Rights of Data Subject
The data subject’s rights are similar to those under the Data Protection Act. They have rights of access
- rectification
- restrict use for direct marketing
- transfer to another data controller
- right to be forgotten
The right to be forgotten entitles the data subject to require that the data controller erase and no longer use the data concerned. There are some exceptions such as in the case of public health and legal requirements for which the data can continue to be retained.
Where a person believes another person has personal data about them he may write to the person concerned requesting a copy. The data controller must inform him whether he holds personal data and supply a description of the data and certain other information in relation to it. The data controller must give a description of the data and the purposes for which it is kept. This request must be complied with, within a specified period.
The date subject has a right of access to the data, subject to certain exceptions, designed to protect the legitimate interest of the data controller. The data subject is entitled to have the data rectified, erased or blocked if the person does not comply with the duties. The data controller must comply with requests within a reasonable time.
The data subject may by notice in writing request the data controller to cease or not to process personal data where the processing is likely to cause substantial damage or distress or would be unwarranted. There are certain public interest exceptions.
Where a decision which affects a person, either significantly or in a legal sense, it may not be based solely on an automatic processing of personal data where it relates to personal matters such as creditworthiness, work performance, reliability, conduct. Certain exceptions exist.
Transparency and Public Bodies
The GDPR Regulation and Directive (implemented by the Data Protection Act 2018) place greatly increased emphasis on the transparency of processing, the responsibility of the controller and processor for compliance with data protection standards, and the need for appropriate security standards to be implemented in order to protect against data breaches such as unauthorised or unlawful processing and accidental loss, destruction or damage.
Both instruments impose an obligation on all public authorities and bodies, as well as some private sector bodies, to designate a Data Protection Officer with responsibility to oversee data processing operations, and to report data breaches to the relevant data protection authority.
The GDPR also limits the grounds for lawful processing of personal data by public authorities and bodies. For example, depending on the circumstances, an individual’s consent to the processing of his or her personal data may not provide a reliable basis for such processing by a public authority. The so-called “legitimate interest” ground will no longer be available to public authorities when acting in that capacity
Notifying Breaches
The GDPR amends the earlier system of registration/notifying the regulator. Data controllers must keep a record of all personal data processed including details of purpose, recipients, transfers out of the EU, et cetera
GDPR provide specific obligations requiring data controllers to notify serious breaches of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted stored or otherwise processed. This must be done as soon as possible and in any event within 72 hours of the matter coming to the attention of the data controller.
The supervisory authority must be notified unless the controller is able to show that the breach is unlikely to cause a risk to rights and freedoms of individuals. Data subjects should be notified without delay if the breach is likely to result in a risk to rights and freedoms. It should describe the nature of the breach and recommendations for action to mitigate the consequences
Design and Compliance Officer
The GDPR requires the data controller to design systems in such a way as to protect personal data and the rights of data subjects. This is referred to as data protection by design.
Certain larger organisations must have a data protection officer who was responsible for compliance with the regulation . the obligation applies to public bodies as well . the data protection officer may be an employee or service provider. They must be designated on the basis of professional qualifications and export knowledge in data protection law and practices. They must be able to fulfil the requisite tasks which involve
- advising and informing the controller or processor nd employees of obligation
- monitoring compliance including training assignment of responsibilities orders
- providing advice regarding data protection impact assessment
- cooperating with the registry authority and acting as a point of contact
Enhanced Enforcement
The GDPR confirms a specific right to damages for breach of the regulation’s obligations.
Both the GDPR and Directive (implemented by the Data Protection Act ) provide for increased supervision and enforcement of data protection standards by the data protection authority.
The GDPR also provides for the possible imposition of substantial administrative fines (up to €10 million or €20 million, or 2% or 4% of total worldwide annual turnover in the preceding financial year). Both the GDPR and Directive (implemented by the Data Protection Act 2018) provide that any data subject who has suffered material or non-material damage because of a breach of his or her data protection rights shall have the right to seek compensation in the courts.