Meanwhile we are in 2018 and you have only a few months to fully prepare your organization for the AVG that will be maintained from 25 May. In part 1 we have let you know how you can prepare your organization for the AVG en in part 2 we have let you know more about the processor agreement.

In part 3 of this blog series we will tell you more about the right to access and rectify, the right to be forgotten and the right to data portability.

Right of access and rectification

The right to insight en rectification already exists under current legislation. Under the AVG there will be an expansion of these rights.

People have the right to access their personal data. This means that the data subject (the person whose organization processes data) X can ask organization Y if the organization processes personal data of him and if so, which ones. Person X does not have to give a reason to organization Y for this access request. Everyone is free to approach organizations and to ask if they are processing their personal data.

If a data subject asks for access, the organization must inform the data subject in a clear and comprehensible way:

  • whether the organization uses its personal data, and if so:
    • what data is involved;
    • what the purpose is of use;
    • to whom the organization has (possibly) provided the data;
    • if this is known, what the origin of the data is.

The most obvious handling is by a digital copy of the data of the data subject who requests to send a view.

Scope of the right of inspection

The right of access applies only to the data of the person concerned. The person concerned can therefore not request information about his neighbor's data.

Does an organization use personal work notes as a reminder? A reminder may be that you know from person X that he only works Monday through Wednesday. These personal work notes are not covered by the right of access. Does the organization record an entry in a file or does the organization provide this to others? In that case, the person concerned about this data will have the right to inspect these notes.

If the person concerned discovers errors or omissions in the data supplied to him, he has the right to have these data rectified or completed. This request must be executed 'without unreasonable delay'.

Right to be forgotten

In article 17 of the AVG is the right to forgetfulness included. This right means that in a number of cases organizations must erase personal data if a data subject asks for it.

Scope right to forgetfulness

The right to forget applies only in the following situations:

  • Is no longer necessary

The organization no longer needs the personal data for the purposes for which they were collected or processed.

  • Withdraw permission

The person concerned has previously (explicitly) given permission for the use of his data, but now withdraws that consent.

  • Objection

The data subject objects to the processing of his personal data. There is, according to article 21 of the AVG an absolute right of objection against direct marketing. A relative right of objection applies if the rights of the person concerned outweigh the interest of the organization to process the personal data.

  • Unlawful processing

The organization will process the personal data unlawfully. For example, because there is no legal basis for the processing.

Legal bases are:

  • Consent of the person concerned;
  • Execution of an agreement;
  • Legal obligation;
  • Vital interest of the person concerned;
  • Carrying out a public law task;
  • Justified interest of the organization.
  • Legal specific storage period

The organization is legally obliged to delete the data after a certain time. For payroll administration, for example, there is a statutory specified retention period of a maximum of 2 years after termination of the employee's employment.

  • Children

The person concerned is younger than 16 years and the personal data is collected via an app or website.

The right to data portability (transferability of personal data)

The AVG gives the parties involved a new right. This is it right to data portabilityor the right to the transferability of personal data.

This means that the data subject has the right to receive the personal data that an organization has of him. This concerns the data provided by the person concerned to the person responsible (the organization). This also includes data provided by the person concerned through the use of a product (such as search history, location data, purchases, etc.). The data subject can then save this data for personal (re) use. You may also be requested to pass on the data to a third party (the new responsible party). This is possible, for example, when someone wants to switch to another provider, or if the person concerned wants to use a service from another organization.

The organization that provides the data may not oppose the data subject in this. It must be ensured that the data can be easily obtained and passed on.

Which data fall under the right of data portability?

  • It is only about digital data. Paper files are not covered here
  • It concerns personal data that is processed
    • either with the consent of the person concerned
    • either with an agreement with the person concerned

What is the difference between the right of access and the right to data portability?

Under the current legislation, data subjects have the right to request access to the personal data that an organization processes from them. Organizations may decide for themselves how they provide the data for inspection. For example, organizations can choose not to provide the data to the data subject, but to invite the data subject to view his data on the spot.

In the right to data portability, organizations must provide the data in a form that makes it easy for the data subject to re-use his data and pass it on to other organizations. Organizations are therefore required by law to provide the data in a structured, widely used and machine-readable format to the data subject.

Information obligation under the AVG

On the basis of the obligation to provide information, the data subject must be informed about his rights under European privacy legislation. You can share this information in the privacy statement. You can place these on the website of your organization, in a pop-up on the registration form for the newsletter or with other documentation that a person receives.

Please note that you provide this information when you receive the personal data of a person. A privacy statement may not be sent afterwards, but must be immediately available to the data subject.

What must be included in a privacy statement?

The privacy statement must be drawn up in 'concise, transparent, comprehensible and easily accessible form and in clear and simple language'.

What's in it:

  • The name and contact details of the (representative and) responsible person;
  • The contact details of the Data Protection Officer (if applicable);
  • The purpose and legal basis the processing of personal data;
  • The legitimate interests of the controller (or third party) if this is the legal basis for the processing of personal data;
  • Any recipients or categories of recipients of the personal data in case of retransmission
  • If transfer of personal data takes place to a country outside the EU: what appropriate safeguards have been taken to ensure privacy in that country?
  • De storage period (and the criteria for determining the term);
  • The person concerned must be informed that he:
    • Right to inspect the personal data processed by the controller;
    • Right to oblivion;
    • Right to rectification and supplementation of his personal data;
    • Right to restriction of processing (the right to have less data processed);
    • Right to data portability;
    • Right to a human decision on decisions (with regard to automated decision-making and profiling). Examples include the automatic refusal of applications via the internet without human intervention;
    • Right to object (the right to withdraw previously given permission);
    • Right to lodge a complaint with the Dutch Data Protection Authority if a person concerned thinks this is necessary;
    • The controller uses automated decision-making (including profiling) and provides useful information about logic, interests and the consequences for the data subject.