GDPR (part 5 of 5): Your privacy and rights
In addition to the changes that the GDPR brings about within the university, it also influences your own privacy in daily life. In this part, the influence of the GDPR on your own privacy will be discussed, which rights you will receive as a data subject with regard to the processing of your personal data and how strong you stand in these rights.
Possibilities and responsibilities
The purpose of the GDPR is to offer more possibilities to individuals to exercise influence and control on the processing of his or her personal data by third parties. This gives third parties more responsibilities and obligations that they must fulfil to legitimize the processing of personal data. In addition, they must consciously consider the intended purpose of the processing operations and must substantiate them adequately. The result will be that third parties will have to communicate far more transparently to the data subjects about which personal data they want to use and for which purposes.
Those involved have a number of rights. The GDPR stipulates that the withdrawal of consent for the processing of someone's personal data must be as easy as giving it. The giving of permission is always set up as easily and as less burdensome as possible for those involved to increase the chances of obtaining permission. Since the GDPR requires that the consent must be given actively by those involved instead of passively, this will be more relevant than ever. According to the literal text of the GDPR, simply actively indicating (i.e. sending an e-mail) that you want to withdraw your previously given consent is ought to be sufficient.
Right to access
In addition to withdrawing consent, data subjects are also entitled the right to access, data portability and to be ‘forgotten’ (erasure). The right to access entails that a data subject can claim the right to view all of his or her personal data that is being processed or has been in the past by a third party, for which purposes and under which principles. A student can therefore request the university to view all of his or her personal data that are known and processed by the university. The university must then generate a document in which these aspects have been worked out in a transparent fashion.
Right to data portability
The right to data portability is the transferability of personal data between organizations at the request of the data subject. If we continue with the same example, a student can request his or her former educational institution to transfer his or her personal data to Leiden University, including, for example, basic personal details and payment data, but also previously obtained study results. With this right, the responsibility is placed with the organizations and the student is no longer forced to ask for a certified overview of obtained study results at his or her former educational institution and then to hand it over to the new educational institution.
Right to be forgotten
The last right is the right to be ‘forgotten’ or also known as the right to erasure. The person concerned can request an organization to erase all his or her personal data and the organization is subsequently obliged to account for the erasure. The keen reader will immediately recognize a paradox here. The processor is required to show which data has been removed and in which systems or archives. This is by definition contradictory because the latter cannot precede the former and vice versa. In order to prevent confusion and contradictions, this right is referred to in the GDPR as the right to be ‘forgotten’. The processor therefore 'forgets', as it were, the personal data of the data subject and will therefore no longer process it in the future.
Honouring the rights
The honouring of these rights must take place within a reasonable time frame and it must not cost a disproportionate amount of time or effort for the processor to carry out. If students of Leiden University wish to appeal to one or more of these rights, they are required to identify themselves in person to the Data Protection Officer in Leiden. Besides the fact that the identification of the data subject in person is necessary to confirm its identity, it can also be experienced as a threshold.
The GDPR crowns many winners: you, he, she and me. The GDPR provides a variety of possibilities and rights to exert influence that are also clearly described in the regulation which leaves little room for interpretation, discussion or refutation. Therefore, feel free to rely on these possibilities and rights, both in relation to your personal privacy as to your privacy on the work floor. Let your superiors know if you recognize defects in the workplace or have ideas to improve the security of the office spaces in the university buildings. Ultimately, everyone benefits if everyone works more consciously and carefully with personal data on the work floor.