PART 7: RIGHTS OF DATA SUBJECTS
(Samwel Gerald Mbawala)
This part discusses, albeit in brief, the rights of data subjects. Data subjects’ rights are at the center of any data protection legislation. They are like gravitational force which produce the much needed balance. Without adequate provisions on data subjects’ rights, the ultimate objects of the data protection legislation can hardly be achieved. As introduced in part five, the following are the predominant rights of the data subjects:-
- the right to be informed
- the right to access
- the right to rectification
- the right to erasure (to be forgotten)
- the right of restriction
- the right to data portability
- the right of objection
- rights in relation to automated decision making and profiling
- the right to withdraw consent
- the right to complain.
7.2.1 The right to be informed
The data subject has a right to be informed the purpose for which his data are collected or processed. Furthermore, he is entitled to know the security measures and other protection which the data controller or processor has in place to ensure confidentiality and integrity of the data. Equally, the data subject is entitled to know in advance whether his data will be shared with the third parties, the extent of such sharing and any necessary repercussions. Technically, the right to information allows data subjects to know what personal data is collected about them, why, who is collecting data, how long it will be kept, how they can file a complaint, and with whom will they share the data. The following information are required to be provided to the data subjects before data collection or processing; the data controller’s information and contact details; purpose of data processing; legal basis for personal data processing; third party details; data retention period, rights granted to the data subject under the data protection law, the right to file a complaint and whether the individual is obligated to provide the personal data.
7.2.2 The right of access
Right of access is fundamental as any other rights of a data subject. The data controller or processor is obliged to grant an access to the data subject. The access is usually relates but not limited to confirmation of data processing, access to your personal data and other supplementary information related to the collected data and processed data. Any effective data protection legislation must put in place a mechanism to ensure that the data subject can make application or request for the access of data.
7.2.3 The right to rectification
It may happen that the data processor may have in storage the data of the subjects which are not correct. Either it was not collected properly or through inadvertent act of the data processor. To rectify this anomaly, the data subject must be granted a right to request rectification of his personal data. This seeks to ensure that the personal data stored is accurate. The right extends also to data which are incomplete. This right carries with an obligation on the data processor to ensure an up to date personal data.
7.2.4 The right to erasure/be forgotten
Personal data are one’s property as you may see more about this on the other art of this series. Due to that one has an absolute right to determine what data should be available and which data should not be available unless the retention or provisions of such data is mandated by the law. Therefore under certain circumstances, the data subject have the right to request for erasure of his personal data. These circumstances include but not limited to:-
- When personal data is no longer necessary in relation to the purpose for which it was collected/processed.
- When a data subject has withdrawn consent.
- When the data object the processing of data and there is no overriding legitimate interest to continue processing
- When personal data was unlawfully processed or should be erased to comply with a legal obligation.
- When the data subject is no more. This right extends to the personal legal representative.
Although there are situations where organizations can decline the request. For instance, for reasons in the public interest or compliance with legal obligations. If a data subject exercises their right to erasure, the organization has to notify any third parties with whom the data was shared and request the erasure of data.
7.2.5 The right to restrict processing
Data subjects can request that an organization limits the way it uses their personal data. To put it plain and simple, data subjects can demand the data controller or processor to refrain from processing their personal data. This right can be exercised under the following circumstances:-
- When the data is inaccurate (during the verification process).
- When the processing is unlawful but the data subject does not want the data to be erased and requests restriction (which is different from the right to be erased).
- When the data controller no longer needs data, but the data subject wants the data to be preserved so the legal claim can be exercised.
Once the data is restricted, the data controller or processor is not allowed to process it unless they have the data subject’s consent, they need it for legal claims or to protect the rights of other individuals.
7.2.6 The right to data portability
The right to data portability allows the data subject to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability. This enables the data subject to obtain and reuse his personal data across different services. Every data controller or processor must provide mechanism to ensure data portability. However, this right may be limited for practical convenience when the data is not processed by automated means. Data subjects can also request for their data to be transferred directly to another organization.
7.2.7 The right to object
The data subject has the right to object processing of personal data in certain circumstances. The right to object is different from the right of restriction, while the former demands the data controller or processor to absolutely stop processing the data, the latter only restrict such processing due to various reasons.
7.2.8 Rights relating to automated decision making and profiling
Some personal data are processed by the automated means. Importantly to note, such processes may influence certain decision which may affect data subject’s rights. This is called automated decision making process. The automated decision-making takes place when an electronic system uses personal data to make decisions without human intervention. Owing to its effect, the data subjects have the right not to be subject to automated decision-making, if and only if, it is producing a legal effect that significantly affects them. However, this rule will not apply if the processing is necessary for the performance of a contract, if it is authorized by the law, or if the processing is based on explicit consent of the data subjects.
7.2.9 Right to Complain
Every data protection legislation must provide for a mechanism through which the aggrieved data subjects may lodge complains. It is safe and sound to argue that, this right is an artery of the data protection legislation. It helps in keeping the data controller and processor in check and ensure compliance with the provisions of the law. The complaint can be lodged to the data protection authorities, courts as well as data controller in event there is an independent dispute resolution mechanism.
7.3 Transmission of Rights
Data subjects’ rights are transmissible. This means that, if the data subject expires, his legal personal representative or heirs, may exercise the rights of the deceased data subjects as if he is still alive. All those rights which a living data subject can exercise, can be exercised by the legatee of the data subjects.
As stated in the introductory part above, data subjects’ rights are the artery and veins of the data protection legislation. They are the spirit carrier, without which, the organs of a legislation won’t move an inch. Therefore, it is critical for every data protection legislation to include provisions on data subjects’ rights. Of course, it is jurisprudentially acceptable that every right must have a corresponding obligation. The data subjects are not exception to that noble proposition. However, the only acceptable obligation of the data subjects is that of providing accurate and up to date data, when the same is required by the data collector, controller or processor.
This current article encompasses the seventh part of the data protection and privacy articles series. The next part which is titled sector specific data protection and privacy compliance in tanzania will be released on 13rd July 2022.
This article is not intended to provide legal advice but to provide general information on the matter covered in the Article. The article does not constitute and is not to be relied upon as legal advice. Victory Attorneys & Consultants shall not be responsible for any loss in the event this Article is relied upon without seeking our professional advice first.