User rights concerning their personal data (2)
Users have a right of review on their data, and this includes a series of rights such the right of access, to data portability or to ask for the rectification of their data.
Image illustrating the article User rights concerning their personal data (2)

The right to access, to portability and to rectify their data have in common that the user does not question the processing of his data. It simply represent his right of review on his data.
In practice, what does it entail for the data controller ?

Right of access

The right of access allows the user to access and receive a copy of their personal data, and other supplementary information.

Whenever an user exercises their right to access, the data controller must first verify the user’s identity. It means he is allowed to ask for his Id.
Then, he must perform a reasonable search for the requested information. Concerning the information, it must be provided in an accessible, concise and intelligible manner. If the individual makes a request electronically, it makes sense that the provided information is sent in a commonly used electronic format; except if the individual requests otherwise.

It is also important for the information to be disclosed securely.

In the case the request involves information about a third party, the data controller must decide whether to share or keep the information. He must be able to justify his decision to disclose or withhold information about a third party, so keeping a record of this decision and the thought process behind it is necessary.
The data controller may refuse to provide the information, only if an exemption or restriction applies, or if the request is manifestly unfounded or excessive. In the case he refuses to provide the information, he must inform the individual of the reason why, their right to make a complaint to the data protection authority and their ability to seek to enforce this right through the courts.

Right to data portability

The right to data portability allows users to obtain a copy in a structured, commonly-used and machine readable format in order to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability.
The right only applies to information an individual has provided to a controller, when the lawful basis for processing this information is consent or the performance of a contract; and the data controller is carrying out the processing by automated means.

What does “data provided by the user” mean ?

Provided by the user refers to information such as the mailing address, the username, age but not only. It also refers to personal data resulting from observation of the user’s activities. For example, whenever he uses a device or a service.
This includes information such as a website history or search activities, traffic and location data or raw data processed by connected devices such as wearable devices.
However, any additional data created by the data controller based on the data an individual has provided is excluded. For example, a user profile created thanks to the provided data is excluded from the scope of data portability.

It is possible that the user exercises his right to data portability alongside his right to access. In this case, the data controller must ensure that he responds to both requests separately, as the data portability requests requires the copy of the data in a machine readable format, whereas the right of access one requires a copy in an understandable format for the average user.

The user is entitled to receiving a copy of their personal data and/or, have their personal data transmitted from one controller to another. It means that the data controller must transfer the data if asked, if it is technically feasible. Most of all, the data controller must not put in place any legal, technical or financial obstacles which could slow down or prevent the transmission of personal data to the individual or to another organisation.

Only legitimate reasons could justify refusing the transmission of the data. However, it is the data controller’s responsibility to justify why these reasons are legitimate and why they are not a ‘hindrance’ to the transmission.

Concerning the transmission, it is up to the data controller to take appropriate measures to ensure that it is transmitted securely and to the right destination.

What does commonly used, structured and machine readable mean ?

This simply means that the format the data controller chooses must be widely-used and well-established, the structured data allows for easier transfer and increased usability and readable by a machine means the data is in a format that can be automatically read and processed by a computer.’
CSV, XML and JSON are the most appropriate format to send the data.

The data controller may refuse to comply with the request if an exemption apply, or if the request is manifestly unfounded or excessive. In the case he refuses to provide the information, he must inform the individual of the reason why, their right to make a complaint to the data protection authority and their ability to seek to enforce this right through the courts.
The data controller cannot charge a fee to comply with a request for data portability, except if the request is manifestly unfounded or excessive. The fee has to be reasonable, and related to the administrative costs of complying with the request.

###Right to rectification

Individuals are allowed to have inaccurate personal data rectified, or completed if it is incomplete.

When the data controller receives a request for rectification, he must take reasonable measures to verify that the data is accurate and to rectify the data if necessary. The arguments and evidences provided by the data subject must be taken into account.
In the case the data controller considers the data is accurate, it is important to let them know of his decision, and explain this decision while reminding the user he is allowed to make a complaint to the data protection authority or to enforce his right through a judicial remedy.

In the same way as for other rights, the data controller may refuse to comply with the request, only if an exemption or restriction applies, or if the request is manifestly unfounded or excessive. In the case he refuses to comply, he must inform the individual of the reason why, their right to make a complaint to the data protection authority and their ability to seek to enforce this right through the courts.

If the information has been disclosed to others, the data controller must inform each recipient of the rectification or completion of the personal data; unless this proves impossible or involves disproportionate effort. If asked to, you must also inform the individual about these recipients.

Those details are important for the data controller, in order to know how to respect user rights in a more effective way. This list of rights completes that of the article about user rights against the processing of their personal data .

Stéphanie Exposito-Rosso

Tue Oct 26 2021