This article is a brief overview of user rights, and is part of a series of articles about user rights that will give further information on how to ensure data controllers respect those rights better.
The modalities around the exercise of those rights for the user being a lot more complex than what is presented here, in a series of articles it will be developed further.
User rights against the processing of their personal data (1)
User rights concerning their personal data (2)
Here are some details concerning the answer to give to an user request. How much time does the data controller have to answer ? Is it free for the user ? Can he refuse the request ?
The first GDPR requirement is for the user to be informed about the collect and processing of his data. It is the right to be informed, that takes the form of the obligation of information and of transparency. Here are some articles on this subject. (1) (2)
Then, the GDPR states that users have the right to access their own data, to portability, to erasure, to object to the data processing, to restrict the processing and to rectify their data.
To explain briefly, the right of access is the right to access and receive a copy of their personal data, and other supplementary information.
The right to portability allows individuals to obtain and reuse their personal data for their own purposes across different services. Data controllers have to send the requested data in a machine readable, structured and commonly used.
The right to erasure is the right for individuals to have personal data erased.
The right to object to the data processing means, as stated that user are allowed to object to the processing of their personal data in certain circumstances. However, this right is absolute when it comes to their data being used for direct marketing.
The right to restrict the processing allows the user to ask for a restriction of the way an organisation uses their data under certain circumstances.
The right to rectification is the right for individuals to have inaccurate personal data rectified, or completed if it is incomplete.
Data controllers have to ensure the user can contact them in order to exercise those rights, and put the measures into place in order to respect them. Concerning the answers controllers have to give to users, there are some important things to take into consideration. Indeed, the time limit to answer the request, if a fee can be demanded to the user, whether it is possible to refuse, and the details concerning the modalities concerning the answer to give to users are details to take into account for the data controller.
How much time do you have to answer ?
For each one of those right the data controller has one month to give an answer to the user.
The delay can be extended to 2 month as long as the user is informed of this extension and it is justified. The justification can be the complexity of the request or if there are too many requests from the individual.
Can you refuse to respond to the request ?
The data controller cannot refuse to comply with the request with no justification. Only some circumstances are legitimate reasons to refuse.
Specifically, when the request is manifestly unfounded or excessive. However, in this case, the data controller has to determine and demonstrate to the user why it is manifestly unfounded or excessive. Obviously, a record of this decision has to be kept in case the user informs the Data protection authority of such a refusal and there is an investigation.
Is it free for the user ?
Exercising those rights is free for the user, and the data controller cannot charge a fee.
However, concerning the right of access or the right to portability, when the request is manifestly unfounded or excessive, the data controller can charge a reasonable fee taking into account the administrative costs of providing the information. It is important to note that concerning the delay to answer the request, the month starts after the data controller has received the fee.
The data controller has to ensure the user is able to exercise those rights. It is one of the obligations consecrated by the GDPR.