What data subject rights do I have regarding my personal data ?
With all this talk about what is and what is not personal data, we have yet to introduce one of the key motivations behind GDPR, CCPA, PPDP and other acronym-heavy privacy regulations : more rights and more control for people over their data !
What rights do I have ?
Let’s take the concrete example of the GDPR (once again). If you are covered by this regulation, then you can request the enforcement of the following rights:
- The right to be forgotten (i.e. to have their personal data deleted);
- The right of access to their personal data ;
- The right to object or restrict the processing of their data ;
- The right to portability (i.e. obtain an extraction of their personal data in a reusable format);
- The right to rectify any out-of-date or incorrect personal data.
When do these rights apply to me?
These rights apply to you if you are covered by the GDPR. This means that you are living in the EU, or that the company you are dealing with needs to comply with the GDPR..
However, local data protection regulations usually provide similar sets of rights to the data subjects they are meant to cover, so you may need to do some digging if you are not in the EU to know more about what rights do apply to your case.
How do I enforce them?
To enforce your rights with a specific company, you’ll need to make a data subject request to them. The process is not yet centralized, and depends on the company’s resources (and goodwill).
Then using the contact address or form provided to make your request. You may need to provide additional information to the company regarding your request.
You can also rely on tools like https://www.datarequests.org/ to get guidance on how to draft and make data subject requests.
What happens when the request is not fulfilled?
First of all, it is important to remember that not all GDPR rights apply all the time, as it would lead to potential abuse of said rights.
For example, requesting a company to delete invoices that you have not yet paid (using your right to erasure) will be refused as it goes against the contract in place between the both of you.
However, if you request the deletion of a social media account that you are not using anymore, it can and should be deleted without too much of a hassle.
If you consider that a legitimate request has been unduly refused, you can challenge the decision by contacting your local data protection authority. When a request is refused by a company, it is mandatory for them to include the contact details of the relevant data protection authority.
How long should I wait for a request to be fulfilled?
The company has a limited time-frame to get back to you regarding your rights : 30 days starting on the acknowledgment of your request. This delay can be extended in specific cases to 90 days, but it should not be the norm.
Can I be charged for this ?
Nope! Most of the requests should be free of charge, as the company may require payment only for extreme data requests (“hey, print all my data on glitter paper please.”)
Is it worth it ?
Of course it is ! The subject matter may seem a bit abstract at first, but having a better understanding of what is done with you personal data may help you avoid traps, scams and other sources of problems of our times.
At the very least, it may help you get rid of annoying newsletters 😜.