GDPR, Part 2

GDPR, Part 2

In part 1 of this article, we warned about the looming deadline of 25 May 2018, the date by which the GDPR becomes enforceable. Part 1 of the article dealt with the scope of the GDPR. It also discussed how the GDPR introduces one single set of rules that applies in the whole of the EU, what the lawful bases of processing private data are, and about parties’ responsibility and accountability.

In part 2 of this article, we will first have a closer look at the most important ‘Digital Rights’ the GDPR introduces: The Right of Access (art. 15), the Right of Correction / Rectification (art. 16), and the Right to Erasure (art. 17), and the Right of Data Portability (art. 20). We will next have a closer look at what changes in CICERO LawPack have been made because of the GDPR.

Right of access by the data subject (Article 15): As the name says, the Right of Access is a data subject right. It gives EU inhabitants the right to get access to their personal data and to information about how these personal data are being processed. Upon request by the data subject, a Data Controller must provide an overview of the categories of data that are being processed (Article 15 (1) (b)), as well as a copy of the actual data (Article 15 (3)). The Data Controller must also inform the data subject on the details about the processing such as: what the purposes are of the processing (Article 15 (1) (a)), with whom the data is shared (Article 15 (1) (c)), and how it acquired the data (Article 15 (1) (g)).

Right to rectification (Article 16) and the Right to Erasure (Article 17): As was the case under the old Data Protection Directive, the data subjects also have the right to obtain from the Data Controller the correction of inaccurate data, and the completion of incomplete data, without undue delay (Article 16). In a famous case, the EU Court of Justice had ruled in 2014 that EU inhabitants also had a right to be forgotten. In the GDPR, this right to be forgotten was replaced by a more limited right to erasure. Article 17 provides that the data subject has the right to request erasure of personal data related to them on any one of a number of grounds including non-compliance with article 6.1 (lawfulness) that includes a case (f) where the legitimate interests of the controller is overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

Right of Data Portability (Article 20): The British Information Commissioner’s Office (ICO) summarizes the right to data portability as follows: [it] “allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability. It enables consumers to take advantage of applications and services which can use this data to find them a better deal, or help them understand their spending habits.” The right applies both to data that has been ‘provided’ by the data subject, as well as data that has been ‘observed,’ such as information about their behaviour. The Data Controller must comply with the data subjects request, and must provide the data in a structured and commonly used Open standard electronic format.

The GDPR contains far more regulations, e.g., on data breaches (art 33-34), on the Data Protection Officer (art. 37-39), on sanctions and pseudonymisation, but those are beyond the scope of this article.

The GDPR and CICERO LawPack

To be compliant with the GDPR, parts of the core of CICERO LawPack had to be modified, e.g., in terms of encryption of the data. CICERO LawPack will also offer its users some additional functionalities.

The WebView portal will be enhanced so all registered parties in CICERO LawPack can log in and access the data that are stored or processed by the program. It will subsequently be possible to submit a request for rectification or erasure of this data, provided this is possible: there may be legal implications for pending cases.

CICERO LawPack users will have also additional options to delete user-specific data and will have the option to set up a policy that will determine which categories of data of which type of persons can be recorded in CICERO LawPack. This is done to ensure that only the data that are necessary for keeping a case file are recorded. It will be possible to generate a report that provides an overview of how the data are being used as a result of those policies.

As far as our cloud provider is concerned, a draft processing agreement has been prepared that is currently being tested. For hosting providers, it is possible that further adjustments may still be necessary to comply with the regulation, because in its current form, there are areas within the GDPR where it is inadequate or leads to unworkable situations.

Sources:

Share this article: