Data Subjects Rights

The individuals rights in the Directive is enhanced in the GDPR and the new right ofdata portabilityis added. The rights are furthermore backed up by provisions that make it easier to claim compensations and generally to enforce the rights of the individual. In the following the different rights and their changes is presented by the article representing them.

Art. 12(1),13,14: Transparency

The enhanced rights for individuals builds largely on greater transparency. Article 12(1) states that information must be provided by controllers to the data subject in a concise, transparent and easily accessible form, using a clear and plain language. Article 13 provides a list of information that must be provided at the time of data acquisition from the data

3.3. Key Changes

subject. While Article 14 provides different requirements that apply when information is not acquired from the data subject.[54]

Art. 15 Right to access

The existing regime of the Directive largely holds, but some additional information must be disclosed.[54]One dramatic shift and a big empowerment of the data subject is the right to obtain from the controller confirmation as to whether or not personal data is being processed.

The controller will on such request be required to provide a copy of the personal data in an electric format, free of charge.[55]This means that the barrier for individuals to get access to their personal information almost completely removed and may in the future demand excess resources for organisations to provide information on request.

Art. 17: Right to be forgotten

The right to be forgotten, also known as right to erasure, provides the data subject the right to have his or her personal data erased, disclosure of personal data ceased and processing by third parties halted. These conditions include breach of the purpose limitation principle and lawful processing as well as if consent is withdrawn.

The right is however not absolute as it arises only in a quite narrow set of circumstances where the there is no legal ground for the controller to process the information.[54]In a practical sense this may create situations where third parties may have legal grounds for processing although the party providing them with the information has not.

Also it is worth mentioning that the practical impact of such a decision to erase personal information may not be of public interest.[54]Hence the right requires controllers to com-pare the subjects’ right to the public interest in the availability of the data.

Chapter 3. The General Data Protection Regulation

Art. 20: Right to data portability

The current directive has no equivalent to this article and this article brings about an en-tirely new right. The data subject has the right to transmit from one controller to another their personal data. [54]The purpose of this is to empower the data subject. It will also foster competition between controllers in the EU by supporting the free flow of personal data. Controllers will face new challenges in order to ensure heightened user control The right to data portability will require businesses in a wide range of areas to ensure that they can hand over personal data in a usable and transferable format.

In this process, businesses face new challenges in order to provide better control to users.

Article 12requires controllers to provide modalities to facilitate the excercise of the data subjects rights. In this context requiring implementation of systems responsive to user requests concerning their data such as interfaces and customer support services.

Article 20is one of the more controversial topics when discussing the implementation of the Regulation. Particularly applicable to the problem of this thesis is the discussion to whether the right may discourage companies and service provider from creating propri-etary information.[56]

Art. 21: Right to object

The right to object to processing of personal data for direct marketing purposes remains as provided in the Directive. A new addition in the Regulation is the right to object to to processing which is legitimized on the grounds of the data controllers legitimate interest or in interest of the public.

If an objection were to be submitted the controller will have to suspend any further pro-cessing until the can demonstrate "compelling legitimate grounds" for propro-cessing.

Art. 22: The right not to be subject to automated decision taking, including profiling

Article 15 in the Directive came with ambiguity that rendered it inadequate with techno-logical development especially in the department of intelligent systems such as artificial

3.3. Key Changes

intelligence.[53]The GDPR expands upon this right and refers explicitly to profiling as an example of automated decision making. Automated decision making and profiling is only permitted where necessary for entering of performing a contract; authorized by EU or Members State Law, or; the data subject has given their explicit consent, such as an opt-in decision.[49]

Still of concern is the scope and ambiguity of this right. Especially when considering legit-imate profiling to detect cybercrime and fraud. Also the online advertising industry and website operators are expected to face new challenges with the GDPR requiring them to revisit their mechanics for customer consent. In particular justifying online profiling for behavioral based advertising.[54]