+45 45 34 44 00
Need a penetration test?
Contact us for a no-obligation conversation about your security needs.
Contact us13. Personal Rights
Persons whose data you process have rights to their data: right to access, rectification, objection, deletion, data portability, and restriction of processing. You must enable them to effectively exercise their rights and implement technical solutions in your systems that ensure these rights are handled correctly.
If you plan in advance how users can contact you and how you handle their requests, you can manage the exercise of these rights more effectively.
Minimum Measures to Implement
All organizations that process personal data have a duty to indicate where and how individuals can exercise their rights in relation to this data. For example, you can provide an email address or a web form link in your privacy policy.
To facilitate the exercise of persons’ rights, these can also be implemented – fully or partially – directly in the application or software you develop. This is not a legal requirement, but it can meet users’ expectations and reduce the time and complexity of processing such requests.
If a person gets direct access to exercise their rights, you must ensure secure authentication. In general, you should also log all operations that affect personal data.
Examples of Rights and Possible Implementations
Right of access: Persons have the right to receive a copy of all information you have about them. This allows them to verify whether their data is being processed and to receive a readable copy in an understandable format. Possible implementation: Offer a feature that displays all data related to a person. If there is a lot of data, it can be divided into multiple views. For very large amounts of data, the user can be offered to download an archive of their data.
Right to deletion: Persons have the right to request that all their data be deleted. Possible implementations:
- Offer a feature that deletes all data related to a person.
- Ensure automatic notification to data processors so data is also deleted with them.
- Ensure data is deleted from backups, or implement an alternative solution that prevents recovery of deleted data.
Right to object: In certain cases, persons have the right to object to their data being used for a specific purpose. Possible implementation: Offer a feature where the user can object to the processing. If a person exercises this right, you must delete already collected data and no longer collect new data about them.
Right to data portability: Persons have the right to retrieve their data in a machine-readable format, either for their own use or for transfer to another organization. Possible implementation: Offer a feature that makes it possible to download the person’s data in a standard format (CSV, XML, JSON, etc.).
Right to rectification: Persons have the right to request changes to their data if it is incorrect, to limit the use or spread of erroneous information. Possible implementation: Allow users to correct their information directly via their account.
Right to restriction of processing: Persons can request that processing of their data be blocked for a period, e.g., while a dispute about the use of their data is being investigated. Possible implementation: Allow administrators to put a person’s data in “quarantine” so it can neither be read nor modified.
Conclusion
The website Data & Design developed by CNIL’s Digital Innovation Laboratory explains these concepts and contains examples of interfaces for exercising rights.
Be creative!