Updated rights for individuals - more Accountability for businesses.

Updated rights for individuals – more Accountability for businesses.

The General Data Protection Regulation entails a major overhaul of European data privacy rules, entering into effect on May 25, 2018. This website intends to guide individuals but mainly businesses through the maze of new rules, transparency obligations and reporting requirements in view of ensuring and maintaining compliance with this new legal framework

In a nutshell, the GDPR on the one hand provides (updated and more) rights to individuals whose personal data is being processed and, on the other hand, imposes far reaching accountability obligations upon businesses and organisations that are processing such data.

Rather than providing a theoretical overview of such obligations, we have opted to provide for tools that will help such businesses and organisations in complying with this new regime.

Right of access: Data subjects have the right to obtain the following:

  • Confirmation of whether, and where, the controller is processing their personal data;
  • Information about the purposes of the processing;
  • Information about the categories of data being processed;
  • Information about the categories of recipients with whom the data may be shared;
  • Information about the period for which the data will be stored (or the criteria used to determine that period);
  • Information about the existence of the rights to erasure, to rectification, to restriction of processing and to object to processing;
  • Information about the existence of the right to complain to the DPA;
  • where the data were not collected from the data subject, information as to the source of the data; and
  • Information about the existence of, and an explanation of the logic involved in, any automated processing that has a significant effect on data subjects.

Data subjects may also request a copy of the personal data being processed.

Right of erasure: The data subject has the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

  • The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  • The processing was based on the data subject’s consent and there is no other legal ground for the processing;
  • The data subject objects to the processing and there are no overriding legitimate grounds for the processing;
  • The personal data have been unlawfully processed;
  • The personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
  • The personal data have been collected in relation to the offer of information society services referred to in Article 8(1).

Where the controller has made the personal data public and is obliged to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

New Rights Introduced by the GDPR:

Right to restrict processing: The data subject has the right to restrict processing from the controller if:

  • the accuracy of the personal data is contested by the data subject. In such case the controller shall be given time to verify the accuracy of the personal data;
  • the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
  • the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of legal claims;
  • the data subject has objected to processing pending the verification whether the legitimate grounds of the controller override those of the data subject.

Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another person or for reasons of important public interest of a Member State.

A data subject who has obtained restriction of processing shall be informed by the controller before the restriction of processing is lifted.


Right of data portability: the data subject has the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.

In exercising his or her right to data portability, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.

The exercise of the right shall be without prejudice to the Right to Erasure. That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. Moreover, exercise of this right shall not adversely affect the rights and freedoms of others.

Our Solutions

On the basis of the actual data processing activities undertaken, we can assist you in redrafting or developing a personalised privacy policy, tailored to your activities and needs.

Moreover, we can provide for a high-level or detailed assessment of the different actions to be undertaken in order to ensure that your data processing activities are in line with the GDPR, well documented, and embedded into binding (data processing) agreements with third parties.

Finally, you can record your data processing activities in our online data processing register, which will keep you informed of updates to terms and conditions and the privacy policies of the tools you are using (cloud storage, applications, etc.).

Steven MotmansNew privacy rules