One of the key objectives of the new European General Data Protection Regulation (GDPR) is to ensure the privacy and protection of the personal data of data subjects. To help data subjects in being assured of the protection and privacy of their personal data, GDPR empowers data subjects with certain rights. Through these rights, data subjects can make a specific request and be assured that personal data is not being misused for purposes other than the legitimate purpose for which it was originally provided. Let us understand the different rights requests that a data subject can make as a customer, as an employee, and as personnel of a supplier.
This right provides the data subject with the ability to ask a company for information about what personal data (about him or her) is being processed and the rationale for such processing. For example, a customer may ask for the list of processors with whom his or her personal data is shared.
This right provides the data subject with the ability to get access to his or her personal data that is being processed. This request provides the right for data subjects to see or view their own personal data, as well as to request copies of the personal data.
This right provides the data subject with the ability to ask for modifications to his or her personal data in case the data subject believes that this personal data is not up to date or accurate.
This right provides the data subject with the ability to withdraw a previously given consent for processing of their personal data for a purpose. The request would then require the company to stop the processing of the personal data that was based on the consent provided earlier.
This right provides the data subject with the ability to object to the processing of their personal data. Normally, this would be the same as the right to withdraw consent, if consent was appropriately requested and no processing other than legitimate purposes is being conducted. However, a specific scenario would be when a customer asks that his or her personal data should not be processed for certain purposes while a legal dispute is ongoing in court.
This right provides the data subject with the ability to object to a decision based on automated processing. Using this right, a customer may ask for his or her request (for instance, a loan request) to be reviewed manually, because he or she believes that automated processing of his or her loan may not consider the unique situation of the customer.
Also known as right to erasure, this right provides the data subject with the ability to ask for the deletion of their data. This will generally apply to situations where a customer relationship has ended. It is important to note that this is not an absolute right, and depends on your retention schedule and retention period in line with other applicable laws.
This right provides the data subject with the ability to ask for transfer of his or her personal data. As part of such request, the data subject may ask for his or her personal data to be provided back (to him or her) or transferred to another controller. When doing so, the personal data must be provided or transferred in a machine-readable electronic format.
A rights request can be made by an individual or an individual’s legal representative. Such individual could be a customer, an employee, or personnel of a supplier working for the company. Also, such request should usually be made in writing. To the Data Protection Officer at dpo@royalgib.police.gi
Data subject rights form the core of GDPR. It must be noted that as a law enforcement body the Royal Gibraltar Police may be exempt from some of the above obligations. This can be checked with our Data Protection Officer on the email address above