My privacy – Your safety

Appendix 1 – A GDPR mini overview. Learn the law, use the law

Clive Humby, almost a decade ago, stated that “data is the new oil”. A few years later President Antonio Neri stated that “data is the currency”¹. Both of these metaphors are actually quite correct. Data in its rawest form just like oil, are useless, however if refined they can provide invaluable information for the person they belong to². When companies started understanding the value of the information that can be extracted from our data, they started to find ways to collect it, with the most common one being through the webpages we visit. We assume the access is free; however, in reality the situation is quite unbalanced, since we actually pay for our access with a huge amount of our data.  

A few years ago, General Data Protection Regulation came into effect, in order to provide us, as owners of our data, with a decent amount of control over them and to limit as possible the unjustified collection of our data, or even prohibit it, at least in the absence of any legal grounds.

The first step to take is to always read the Terms & Conditions and the Privacy Policy, before agreeing to give away your rights. As such, you will be able to understand, at least in most times, how every site/company etc. uses your rights, the third parties that also process your rights and for how long they keep your data in place. At the same time, every site should also provide you with two to three pieces of crucial information: who is the Data Controller (who takes possession of your data) and who is the Data Processor (who processes your data) and according to the size of the company, who is the Data Protection Officer (who makes sure that your data are processed according to the GDPR) and in any case, an email address where you could exercise your rights at any point in time.

The most Important Rights of the Data Subject

1. Right to receive information by the data processor in a concise, transparent and intelligible manner regarding the processing of the data, in writing or by any other means. The data subject can request the information to be given orally (Art. 12)
2. When the data are obtained directly from the data subject: Right to receive information regarding the identity and contact details of the controller, and where applicable the controller’s representative, the contact details of the data protection officer, the purposes of the processing for which the personal data are intended as well as the legal basis [only 6 legal bases exist] for the processing (Art. 13)
3. When personal data have not been obtained from the data subject, the controller shall provide the data with information regarding the identity and contact details of the controller, and where applicable the controller’s representative, the contact details of the data protection officer, the purposes of the processing, intention and legal basis of processing, and the categories of personal data concerned, the recipients or categories of recipients of the personal data, if any, here applicable, that the controller intends to transfer personal data to a recipient in a third country or international organisation and the existence or absence of an adequacy decision by the Commission (Art. 14)
   Important sidenote: In both of the above cases (2) + (3), the data controller shall provide information regarding the period for which the personal data will be stored and if not possible the criteria used to determine that period, the existence of the right to request from the controller access to and rectification of erasure of personal data or restriction of processing concerning the data subject and to object to processing as well as the right to data portability. Moreover, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal; the right to lodge a complaint with a supervisory authority; from which source the personal data originate and, if applicable, whether it came from publicly accessible sources, the existence of automated decision-making, including profiling. All of the above are to be received within a reasonable period after obtaining the personal data, but at the latest within one month.
4. Right of Access by the data Subject: The data subject has the right to obtain from the controller whether their data are being processed or not. If they are being processed, then the data subject has the right to access the following information: (1) the purposes of the processing, (2) the categories of personal data concerned, (3) the recipients or categories of recipients to whom the personal data have been or will be disclosed, (4) the envisaged period of storage of the personal data and if not possible, the criteria used to determine, (5) the existence of the right to request from the controller rectification/erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing (6) the right to lodge a complaint with a supervisory authority, (7) where the personal data are not collected from the data subject, any available information as to their source, (8) if transferred to 3rd countries or international organizations, the data subject has the right to be informed of the appropriate safeguards. (Art. 15)
5. Right to Rectification: The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Accordingly, provide supplementary information where the information are incomplete. (Art. 16)
6. Right to Erasure/ Right to be Forgotten: Probably the most important right we have. The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies: (a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed, (b) the data subject withdraws consent on which the processing is based and there is no other legal ground for processing, (c) the data subject objects to the processing and there no other overriding legitimate grounds for processing, the personal data have been unlawfully processed, (e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject (f) the personal data have been collected in relation to the offer of information society services. (Art. 17)
   Important Sidenote: Where the controller has made the personal data public and is obliged pursuant to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
7. Right to Restriction of Processing: The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies: (a) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data; (b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead; (c) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; (d) the data subject has objected to processing, pending the verification whether the legitimate grounds of the controller override those of the data subject. A data subject who has obtained restriction of processing, shall be informed by the controller before the restriction of processing is lifted. (Art. 18)
   Important Sidenote: The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out, to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it. (Art. 19)
8. Right to Data Portability: The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where: (a) the processing is based on consent or on a contract, (b) the processing is carried out by automated means.
9. Right to Object: The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller and where processing is necessary for the purposes of the legitimate interested pursued by the controller except (Art. 6 (e)) including profiling based on those provisions. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing. (Art. 21)
10. Automated individual decision-making, including profiling: The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. This does not apply if the decision is necessary for entering into, or performance of, a contract between the data subject and a data controller or if this is authorized by Union or Member State law to which the controller is subject and which also lays down suitable measure to safeguard the data subject’s rights and freedoms and legitimate interests or is based on the data subject’s explicit consent.

These are our rights as outlined in the GDPR. It is important to know them, and it is important to exercise them. You have the right to alter your data, ask to have your data erased, restrict the processing that takes place and most importantly you have the right to receive any necessary information in plain language regarding the processing of your data. Make sure to give away your data that is necessary for the purpose and not any more, and make sure to ask them to erase them when the purpose is fulfilled. Take your data into your own hands.

¹ Limitone Julie, ‘Data is the new currency, Hewlett Packard Enterprise president says’, Fox Business (24 January 2019), Available at https://www.foxbusiness.com/business-leaders/data-is-the-new-currency-hewlett-packard-enterprise-president-says, accessed 12 May 2021

² Chandrasekaran Natarajan, ‚‘Is Data the New Currency?’, World Economic Forum (14 August 2015) Available at https://www.weforum.org/agenda/2015/08/is-data-the-new-currency/ accessed 12 May 2021