Data Subjects' Rights

By Hugo Ribeiro, Certified Accountant · Member of the Order of Certified Accountants · HVR Business Consulting

Introduction

The General Data Protection Regulation (GDPR) has significantly changed how companies and organizations in Portugal and the European Union must handle personal data. One of the pillars of the GDPR is the rights of data subjects, aimed at ensuring transparency and control for individuals over their personal information.

Right of Access

The right of access allows data subjects to obtain confirmation of whether their personal data is being processed and, if so, access that data and obtain additional information. This right is enshrined in Article 15 of the GDPR. For instance, a customer can request a company to provide information about the personal data it holds about them, the purpose of processing, and with whom the data has been shared.

Right to Rectification

Under Article 16 of the GDPR, data subjects have the right to correct inaccurate or incomplete personal data. Imagine a scenario where a customer notices their email address was incorrectly registered. They can request the company to correct this information to ensure data accuracy.

Right to Erasure (Right to be Forgotten)

Article 17 of the GDPR establishes the right to erasure, also known as the "right to be forgotten." This right allows individuals to request the deletion of their personal data under certain circumstances, such as when the data is no longer necessary for the purposes for which it was collected. For example, if a customer stops using a company's services and requests their data to be deleted, the company must comply unless there are legal reasons to retain the data.

Right to Restrict Processing

According to Article 18 of the GDPR, data subjects can request the restriction of processing their personal data under certain situations, such as when they contest the accuracy of the data. During the period when the accuracy of the data is being verified, the data subject may request that processing be restricted.

Right to Data Portability

Article 20 of the GDPR introduces the right to data portability, which allows individuals to receive the personal data they provided to a controller in a structured, commonly used, and machine-readable format, and transmit those data to another controller. For example, a customer of a telecommunications provider can request the transfer of their data to another provider.

Common Mistakes to Avoid

A common mistake is failing to respond promptly to data subjects' requests. The GDPR stipulates that responses must be given without undue delay and, in any case, within one month (Article 12, paragraph 3).

Conclusion

Companies should implement clear and efficient policies to handle data subjects' rights, ensuring compliance with the GDPR. Continuous team training and regular review of data protection practices are essential. For more information or assistance, contact HVR Business Consulting.

Sources and Legal References

  • General Data Protection Regulation (GDPR) - Articles 12, 15, 16, 17, 18, 20

Key Takeaways

  • Ensure transparency in personal data processing in Portugal.
  • Respond to GDPR rights requests within a maximum of one month.
  • Guarantee data access, rectification, and portability rights.
  • Implement clear data protection policies and ongoing training.

FAQ

What are data subjects' rights under GDPR?

Data subjects' rights are prerogatives granted by GDPR to individuals to control their personal information, such as access, rectification, erasure, and data portability.

How should my company respond to an access request in Portugal?

Your company must confirm to the data subject if their data is processed and provide access to it, explaining the purpose and who accessed it. The deadline is one month, without undue delay.

What is the importance of the right to be forgotten for Portuguese companies?

The right to be forgotten requires the company to erase personal data when no longer needed, unless there are legal reasons to retain it. Compliance is crucial to avoid GDPR fines.

When does the right to data portability apply in Portugal?

The right to portability applies when the data subject requests data transmission to another controller, in a structured, machine-readable format. Essential for services with transferable data.