- The General Data Protection Regulation, a law that came into effect on May 25, 2018 in the EU that gives Europeans new rights over their personal data.
- Companies that fail to comply will be penalized the greater of 4% of global revenue or €20-million
- We (Transcend) mostly help you deal with the “Individual Rights” obligations. Mainly, that's giving citizens the ability to access and erase their data from your company
This is intended as a simple guide and is in no way exhaustive. This does not constitute legal advice, and we recommend you consult with a qualified attorney.
People can exercise the following rights by making a Data Subject Request - Data Subject Request - (DSR) This is a request by the data subject to access, erase, port, or rectify their personal data. It also includes objections to the processing of personal data and requests to restrict the processing of personal data. to your company:
The right of access — Art. 15
Download your personal data in a machine readable format.
The right to erasure — Art. 17
AKA right to be forgotten. You can erase your personal data from companies. Sometimes there are exceptions because other laws override (e.g. you can't delete your bank records because of money laundering laws)
Individuals have the right to be informed about the collection and use of their personal data.
The right to rectification — Art. 16
Right to update inaccuracies. Credit report has false info? Changed your mailing address? You have the right to rectify that.
The right to data portability — Art. 20
“Hey Spotify! Send my listening history to Apple Music.” People can transfer their data between companies... wild, right?
The right to restrict processing — Art. 18
“You can store, but you can't use my personal data.” It's a corner case that's exercisable in certain circumstances.
The right to object — Art. 21
“I don't agree with your justification for processing my data; stop it.” Background: all data collection/processing is illegal unless is falls into one of these categories. One category is called Legitimate Interest [6.1(f)] and basically says companies can use their judgement whether personal data is being processed for legitimate purposes. Right to Object allows people to contest that.
Rights in relation to automated decision making and profiling — Art. 22
Automatically declined for a bank loan? Have a human review it.
- All companies have to give these rights to their European customers
- Because it's simpler and looks good, most organizations are giving these rights to everyone.
- Also, Californians are getting similar rights on Jan 1, 2020. Brazil passed their own GDPR too. India has their draft out.
Art. 12 - 14 relates to our “Data Practices” page on our Privacy Centers, and the final report we send the data subject.
Art. 15, 16, 17, 18, 20, 21 describe the 6 types of Data Subject Requests, which we support on our “Take Control” page on our Privacy Centers, and fulfill automatically across data systems.