Rights to rectification, erasure and restriction under the GDPR and DPA
As regular readers of this articles know, we aim to provide a practical overview of the most relevant changes resulting from the General Data Protection Regulation (GDPR) and the new Swiss Data Protection Act (DPA), a draft revision of which is still subject to debate, and which is expected to partly enter into force later this year.
In our previous article, we provided an overview of the data subject’s rights under the GDPR and DPA, and discussed the rights to information, transparency and access. This week’s article focusses on the data subject’s rights to rectification, erasure and restriction.
Right to rectification under the GDPR and DPA
As explained in our last article, the GDPR and DPA require controllers to inform data subjects on an extensive list of topics and to grant data subjects access to their personal data upon request.
If a data subject discovers an error in his or her data, the GDPR entitles them to rectification of the incorrect data. In case of incomplete information, the data subject may ask for a supplementary statement.
Like the GDPR, the DPA gives data subjects the right to request correction of inaccurate data. Data subjects may exercise this right, regardless of whether any privacy breach has occurred. The controller may only refuse to correct the data if the amendment is prohibited by law or the data are being processed for archiving purposes in the public interest. Rectification means that incomplete data are completed and inaccurate data are deleted or replaced.
Right to erasure under the GDPR and DPA
The right to erasure, also known as the ‘right to be forgotten’, allows data subjects to have their data erased under the following specific circumstances:
- the data are no longer necessary in relation to the purposes for which they were collected or processed;
- data subjects withdraw the consent on which the processing was based;
- data subjects object to the processing and there are no overriding, legitimate grounds for the processing;
- the data have been processed unlawfully;
- the data must be erased in compliance with Union or Member State law which applies to the controller; or
- the data pertain to a child younger than 16 years of age and were collected via an information society service.
Although the right to erasure is not limited to data processing that results in substantial damage or distress for the data subject, such a result would strengthen the case for erasure.
There are also grounds for refusing erasure, which include data processing for the purposes of:
- exercising the right to freedom of expression and information;
- complying with a legal obligation to perform a task in the public interest or to exercise official authority;
- acting in the interest of public health;
- archiving in the public interest, for the purposes of scientific or historical research, or for statistical purposes;
- defence of legal claims.
If the controller has made the data accessible to others, it is required to contact each data recipient and inform them of the erasure request (unless this proves impossible or results in an undue burden). The data subject may also request for the controller to inform them of all recipients of their data.
Unlike the GDPR, the DPA contains no list of specific situations in which the right to erasure must be granted. Data subjects may request erasure at any time, but this right is not absolute. The controller may refuse to erase data in cases in which processing is provided by law or there is an overriding public or private interest in processing the data. Consequently, the interests of the controller and the data subject must be weighed against each other whenever an erasure request is made.
Right to restriction of processing under the GDPR and DPA
Data subjects also have the right to suppress the processing of their data under the following circumstances:
- the accuracy of the data is contested by a data subject and the controller requires time to verify the accuracy of the data;
- the processing is unlawful but a data subject requests restriction rather than erasure;
- the controller no longer needs the data, but the data subject requires the data to establish, exercise or defend a legal claim;
- a data subject objects to the processing of their data despite it being necessary for the performance of a task in the public interest or for the purposes of a legitimate interest, and the controller requires time to weigh its own interest against that of the data subject (we will further elaborate on this topic in our next newsletter).
Once processing has been restricted, the controller can, in principle, only store the data. Any further processing is only possible with the data subject’s consent or in a few specific situations expressly listed in article 18(2) of the GDPR (for example, to protect a third party’s rights). The controller must inform the data subject if it decides to lift a restriction on processing.
Even though the DPA does not explicitly provide for a right to restriction, data subjects may still request to restrict the processing of their data. However, the right to restriction is not absolute and, as with a request for erasure (see above), a balancing of interests must take place in each specific case.
Communication and notification obligations for rectification, erasure and restriction
Under the GDPR, the controller is obliged to respond within one month to a request for rectification, erasure or restriction. This period can be extended by two months in the case of complex requests. If a controller does not act upon a data subject’s request for rectification, erasure or restriction, the controller must inform the data subject of its reasons for non-performance. In that case, the controller must also inform the data subject of their right to lodge a complaint with the supervisory authority, and there right to a judicial remedy.
In case of any rectification, erasure or restriction, the GDPR requires that controllers notify all recipients of the data in question (unless this proves impossible, or would result in an undue burden).
The DPA contains no rules regarding timing, nor any requirement for controllers to inform recipients in case of rectifications, erasures or restrictions. However, in case of legal proceedings, data subjects may request such measures, or for the corresponding judgement to be published or communicated to third parties.
Compliance with the highest standards
The safest approach for controllers is to comply with the highest standards of both the GDPR and the DPA.
- set up internal procedures and protocols for handling requests from data subjects regarding rectification and erasure of data, or restriction of processing, in compliance with both the GDPR and the DPA. Such protocols should also include procedures for verifying the data subject’s identity.
As the GDPR will be applicable next May 25, it is time to actively prepare for it.
To help you in this compliance exercise, we will delve deeper into each of the essential GDPR topics in a series of articles that we will publish over the next weeks. To remain up to date, subscribe to our newsletter with the button below.
JoanneZaaijerAttorney at law Associate
Joanne Zaaijer, attorney at law, is an associate in our Rotterdam office. She focusses on data protection and privacy law, telecommunications, life sciences, advertising and e-commerce.T: +31 (0)10 224 6164 M: +31 6 53 57 74 21 E: Joanne.Zaaijer@loyensloeff.com