The rights users have on their data are not absolute. As such, it is important for data controller to know how they must react to a request to exercise one.
Right to object to the processing of personal data
The user is allowed to object at any time to a data controller’s use of some of their data.
The user can object to their data being used by a data controller for a specific purpose. The condition is that they must put forward "reasons relating to their particular situation".
However, when it comes to the case of commercial prospecting, users may object without reason. For example, when they receive advertisements through emails, are subject to a profiling or their information appearing in a phone book.
Whenever an user makes a request to exercise this right, the data controller is allowed to refuse the request. However, he must prove that there are compelling legitimate reasons for continuing to process the data, or justify that the data is necessary for the establishment, exercise or defence of legal claims.
Legitimate reasons to continue to process the data could be that :
- There is a contract with the organization, the data controller is obliged to keep the data
- There is a legal obligation to process the data
- The processing is necessary to protect the vital interests of the data subject or another individual
- The user has consented to the collection and processing of the data, thus, they must withdraw their consent and not object to it.
When the request concerns commercial prospecting, the data controller must delete the user’s email address from its prospecting database as soon as possible.
Right to erasure of personal data
The user has the right to ask an organization to delete your personal data.
However, this right only applies when their data is used for prospecting purposes, the data are not or no longer necessary for the purposes for which they were originally collected or processed, they withdrew their consent to the use of their data, their data is subject to unlawful processing (e.g. publication of pirated data), their data was collected when they were a minor in the context of the information society (blog, forum, social network, website...), their data must be deleted to comply with a legal obligation, they have objected to the processing of their data and the file manager has no legitimate or compelling reason not to comply with this request.
Whenever an user makes a request to erasure, If, and only if, the data controller has reasonable doubts about the user identity, it may ask them to attach any document that proves their identity, for example to avoid identity theft. However, it cannot ask the user for supporting documents that would be abusive, irrelevant and disproportionate to their request.
The right to erasure faces a series of obstacles.
It means that the data controller may refuse the request in certain circumstances. Obviously, it will have to justify the refusal to the user.
The erasure of the data may obstruct :
- The exercise of the right to freedom of expression and information
- The respect of a legal obligation (e.g. retention period of an invoice = 10 years)
- The use of the user data in the case it concerns a public interest in the field of health
- The use for archival purposes in the public interest, for scientific or historical research or for statistical purposes
- The use for the establishment, exercise or defense of legal claims.
Right to restrict the processing of personal data
The user has the right to ask a data controller to temporarily freeze the use of some of their data. What does it mean ?
It means that if the user decides to dispute the accuracy of the data used by the data controller or object to the processing of their data, the law allows the data controller to verify or review the request for a period of time. During this period, the user may ask the data controller to freeze the use of their data. As a result, the data controller will no longer be able to the data, but will have to keep it.
For example, if the request concerns a picture on an article. While the data controller tries to look for a legitimate reason to retain the picture, they must take it off their website.
The right to restrict the processing of the data is a right that complements the exercise of other rights. During the delay the data controller has to respond to the rectification or objection request, whether it is extended or not, the data controller must freeze the data concerned and no longer use it.
It is important to note that the data controller must inform the user when the limitation on the use of their data is effective. In addition, the data controller is allowed to use the data despite a restriction request in the following cases :
- The user has given their consent
- It is necessary for the establishment, exercise or defense of legal claims
- It is necessary for the protection of the rights of another natural or legal person, for important reasons of public interest of the Union or of a Member State.
Those rights have in common that the user wishes to act against the processing of their personal data by the data controller. They are not absolute rights and data controllers must be aware of their terms and conditions of exercise. Another series of rights concern the circonstances in which the user wishes to rectify the data used by the data controller, transfer it to another data controller or simply have access to it. Those are rights users have concerning their data.