Data Subject Rights (DSR)

Find out about the different rights introduced by the GDPR.

The GDPR reaffirms the rights of individuals, introduces the right to data portability and strengthens the obligations incumbent on the controller. Data subjects have the right to retain control of their data. The person in charge of the processing must explain to them how to exercise them. When exercising their rights, applicants must obtain a response within one month (two months in the case of complex requests).

Two major obligations for the controller:

  • Inform those concerned about the use of their private data (purpose, duration of archiving, etc.) and how to exercise their rights

  • Inform the persons concerned of the execution of operations in accordance with the exercise of the rights of rectification, erasure or limitation

3 common operational rules for the rights of individuals:

  • Response time of one month from the request (2 months in case of complex request)

  • No fees for the exercise of rights, except in the case of manifestly unfounded or excessive claims

  • Traceability of requests and responses

The right of access to information

To be fair and lawful, the collection of personal data must be accompanied by clear and precise information from people on:

  • the identity of the person in charge of the request;

  • the subject of the request;

  • the compulsory or optional nature of the replies and the consequences of failure to reply;

  • the recipients of the data;

  • their rights (right of access, rectification and opposition);

  • data transfers possible to third countries.

The information precedes the collection of data. The support of this information varies according to the characteristics of the Personal Data Processing Register (example, information panel for video surveillance, mention of information on a form, reading of this information in the event of data collection by telephone.)

The right of access can be exercised:

  • In writing: postal mail, accompanied by a copy of an identity document. Ideally, by registered mail with acknowledgment of receipt

  • On site: with presentation of an identity document. It is possible to be accompanied by the person of your choice. The consultation should last long enough to take note of in a practical and complete manner. It is possible to request a copy of the data.

The processing record manager has a maximum response time of one month from the date of receipt of the request. If the request on site cannot be satisfied immediately, a dated and signed acknowledgment of receipt must be given to the requester. If the request is incomplete (absence of identity document for example), the person in charge of the file has the right to request additional information: the period is then suspended and begins again once these elements have been supplied.

How to send the data?

The elements communicated must be easily understandable. The codes, acronyms and abbreviations used must be explained (possibly through a glossary). For example, "Segmentation: A +" means that you are considered a VIP customer.

Limits of the right of access

The processing record manager can:

  • refuse the access request: in this case, he must justify his decision and inform the requester of the means and time limits for appeal.

  • Do not respond to requests that are manifestly unreasonable in terms of number, repetitive or systematic in nature (for example, requesting a full copy of a recording every week).

When the controller does not have any data on the person exercising the right of access (for example, the data has been deleted or the organization does not have any data on the person), he must reply to the requester within one month. The right of access must be exercised with respect for the rights of third parties: an employee of a company cannot obtain data relating to another employee.

Consent is an active, explicit and preferably written action by the user which must be free, specific and informed. In an online form, this can happen, for example, by a check box that is not checked by default. Consent is "prior" to the collection of data.

The prior consent of the data subject is required, in particular:

  • In the event of collection of sensitive data

  • Reuse of data for other purposes

  • Use of cookies for certain purposes

  • Use of data for electronic commercial prospecting

The right to object

People must be able to oppose the re-use by the person responsible for the file of their contact details for the purposes of solicitations, in particular commercial, when placing an order or signing a contract. A check box, not checked by default, should allow them to express their choice directly on the form or the order form to be completed. The mere mention of the existence of this right in the general conditions is not sufficient. Any person has the right to oppose, for legitimate reasons, the processing of their data, unless it meets a legal obligation (eg tax records).

The right of access and rectification

Anyone can, access to all the information concerning him, know the origin of the information concerning him, access the information on which the person in charge of the file relied to make a decision concerning him (for example, the elements which would have been used not to grant you promotion or the score assigned by a bank that led to the rejection of your credit) application), obtain a copy (fees not exceeding the cost of reproduction may be requested) require that his data be , as the case may be, rectified, supplemented, updated or deleted.

The right of portability

  • Data subjects may request to receive, in a structured, commonly used and machine-readable format, data concerning them which they have provided to a data controller.

  • Where technically possible, they may also request that this data be transmitted directly from one controller to another.

For more information

Last updated