GDPR - the EU’s Data Protection Regulation - gives individuals rights and imposes obligations on organizations. Read on for an overview.
General Data Protection Regulation: Obligations and rights

General Data Protection Regulation: Obligations and rights

Time Reading
8 minutes of reading
GDPR

The General Data Protection Regulation (GDPR), which was implemented on May 25, 2018, is a law designed to protect individuals' personal data and provide them with a range of rights to control their own information held by organizations. At the same time, organizations are subject to several requirements under the GDPR to ensure that personal data is not misused or disclosed without consent during processing.

Below, we have compiled both obligations and rights related to the GDPR, so you can get a complete overview and, hopefully, confirm that you’re fully compliant with the current requirements.

Data subjects’ rights under the GDPR

When an organization processes personal data, the data subject has several rights that the organization must respect:

  • Right to be informed: The data subject has the right to be informed about the collection of personal data in a concise and easy-to-understand format. This applies both to information collected directly from the data subject and to information collected from other sources.
  • Right of access: The data subject has the right to see what personal data is being processed about them within the organization. The data controller is then obligated to review and, in most cases, fulfill this request for access.
  • Right to rectification: The data subject has the right to have incorrect information rectified, and the data controller must, to the extent necessary, ensure that inaccuracies are corrected. In cases where there is a disagreement (between the data subject and the data controller) about whether the personal data is incorrect, the data controller must document the data subject's objection.
  • Right to erasure (or right to be forgotten): The data subject has the right - with certain exceptions - to have their personal data erased. If the conditions for erasure are met, the organization must ensure that the information is erased in a manner that prevents it from being recovered.
  • Right to restriction of processing: The data subject has the right - in certain cases - to have the processing of their personal data restricted. This may occur, for example, if the data subject believes that the personal data is inaccurate or is being processed unlawfully.
  • Right to data portability: The data subject has the right to receive the personal data held about them in a commonly used and readable format. Additionally, under certain conditions and where technically feasible, the data subject may request that the personal data be transferred from one controller to another.
  • Right to object: The data subject has the right to object to the otherwise lawful processing of their personal data. In such cases, the controller must determine whether the objection is justified and, if so, reconsider whether the processing is necessary.
  • Right not to be subject to automated decision-making: The data subject has the right not to be subject to decisions based solely on automated processing, including profiling.

Organizations’ obligations under the GDPR

One of the fundamental elements of the GDPR is that the data controller must have a lawful basis for processing personal data. This is known as the legal basis for processing. A data controller must not only determine which data will be collected and how data processing will take place, the organization must also define the legal basis for processing.

When the data controller must determine a legal basis, two factors influence the choice:

  1. Which type of personal data is involved? The regulation addresses two categories of personal data: regular and sensitive data (pursuant to Articles 6 and 9 of the GDPR). 
  2. What is the situation regarding the data processing? The data controller must consider the purpose of the data collection. Is it to comply with a legal obligation or to fulfill a contract? For example, an organization may need to use its employees' names and bank details to pay salaries.

The data controller must make an intentional choice regarding which legal basis or bases the data processing will rely on. This can often seem confusing and challenging, as several legal bases may be possible. Many organizations may be inclined to choose “consent,” as this appears to be a straightforward way to establish a legal basis. However, this is not always the most appropriate option. The data subject must always have the ability to withdraw consent, which means that the data processing must be stopped. If the processing of this personal data is central to the organization's daily operations, this could have critical consequences.

This is often overlooked by many organizations when they select a legal basis for processing. Once a basis has been decided, the organization cannot suddenly switch to another if it proves insufficient - for example, if consent is withdrawn. It is therefore essential to choose the appropriate legal basis from the start.

As an organization, the goal is to make compliance as easy as possible. It is important to take a risk-based approach that balances the rights of the data subjects with what is best for the organization - both legally and in terms of resources. As a data controller, this means selecting the legal basis that is strongest and most appropriate for the data processing.

When consent is the appropriate legal basis

Although consent is not always the best basis for processing, in some cases it may be the most appropriate option. To comply with the GDPR, certain conditions must be met for consent to be considered valid:

  • Voluntarily: Consent must be given voluntarily by employees and other data subjects.
  • Legitimately: There must be a lawful purpose for processing the personal data.
  • Specifically: It must be specifically stated why you’re processing the data, how it will be used, who it will be shared with, and how the data subject can access the data or, if needed, file a complaint.
  • Informed: Consent must be requested in simple, clear language that cannot be misunderstood. It must also be separate from other topics - for example, not included as part of terms and conditions or other documents.
  • Unambiguously: Consent cannot be given tacitly. For lawful processing, the data subject must actively approve the data processing, for example, by checking a box.

Become GDPR Compliant

It can be difficult to make sense of the obligations and rights outlined in the General Data Protection Regulation, and many organizations cannot say with certainty whether they are GDPR-compliant or not. The fact is, if you cannot document your data protection efforts, they don’t exist - at least not according to the Danish Data Protection Agency.

If you want to ensure that your organization can always generate reports and document data and processes, you may want to consider investing in GDPR software. This can help streamline the collection of information, make processing activities transparent, and provide an overview of compliance efforts.

RISMA's GDPR software has been developed in collaboration with Plesner, the industry's leading experts in personal data protection. The system is designed to be user-friendly and accessible, even for those without specialized training in GDPR. If you're curious, feel free to request a demo at any time.

ALSO READ: How to ensure GDPR compliance in your organization
Logo

Other Articles

DPIA - When and how to conduct an Impact Assessment?

Time Reading
4 minutes of reading
GDPR

Data Retention Policies: How long can you store personal data?

Time Reading
6 minutes of reading
GDPR

What is GDPR and how does it affect your organization?

Time Reading
7 minutes of reading
GDPR