Under Individual rights, GDPR introduces the right for individuals to have personal data erased. This is known as the Right to erasure (aka right to be forgotten). Individuals also have the right to access their personal data. This Right of access “allows individuals to be aware of and verify the lawfulness of the processing”.
If Agencies are using the Consent approach, note that individuals have the right to withdraw consent. The guidelines say they should “make it easy for people to withdraw consent at any time and publicise how to do so”.
If using the Legitimate Interest approach, individuals also have the Right to object to data processing based on legitimate interest or direct marketing. The Agency (Data Controller) must stop processing the data unless they can “demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual.” The Controller “must inform individuals of their right to object “at the point of first communication” and in your privacy notice.”
Note: If you rely on legitimate interests, the Right to data portability does not apply.
Finally, the Right to rectification allows Individuals “to have inaccurate personal data rectified or completed if it is incomplete.”
The 8 Individual Rights
In summary, under ‘Individual Rights’ the ICO states that GDPR provides the following rights for individuals:
The right to be informed - Individuals have the right to be informed about the collection and use of their personal data.
The right of access - Individuals have the right to access their personal data and supplementary information.
- Agencies can use the workflow Subject Access Request to give individuals a login to the GDPR Portal where they can view their personal data.
The right to rectification - a right for individuals to have inaccurate personal data rectified or completed if it is incomplete.
- Agencies can already update fields in Adapt by using Edit mode, or by running workflows. However, users can now redact notes held in Journals by using the new modify journal notes function. Note: Users will need to have this feature switched on through their Adapt profile. Please contact your Erecruit representative to request this.
The right to erasure - a right for individuals to have personal data erased.
- Agencies can use the Right to be Forgotten workflow.
The right to restrict processing - individuals have the right to request the restriction or suppression of their personal data.
- Agencies can use the Restrict Processing workflow.
The right to data portability - allows individuals to obtain and reuse their personal data for their own purposes.
- When viewing their personal data through the GDPR Portal, the individual can print or use their documentation and take it elsewhere.
The right to object – Individuals have the right to object to processing based on legitimate interests and direct marketing. You must inform individuals of their right to object “at the point of first communication” and in your privacy notice.
- The Right to Object workflow can also be used to process a consent withdrawal request.
Rights related to automated decision making including profiling (making a decision solely by automated means without any human involvement or automated processing of personal data to evaluate certain things about an individual) - You can only carry out this type of decision-making where the decision is necessary for the entry into or performance of a contract; or based on the individual’s explicit consent.
- Under the right to rectification, Adapt users can now modify journal notes. This can be used to ensure there is nothing on an Individual’s record that could be detrimental when running something like automatic Candidate matching. Note: Users will need to have this feature switched on through their Adapt profile. Please contact your Erecruit representative to request this.