GDPR- Part 3: What rights and how to respect them?
GDPR: What are your users’ rights?
Le droit d’information
We cannot repeat it enough: first of all, to respect the spirit of the GDPR, transparency is the key! The right to information for your users is a fundamental principle of the General Data Protection Regulation.
Your users have the right to know:
- What personal data is collected about them, and how;
- Whether the collection of this data is mandatory or optional;
- For what purpose the data is collected and used (the purpose(s));
- Who manages the collection, storage & use of this data (the controller)
- How long their data can be stored and used;
- If their data is transferred / processed or stored abroad (outside the EU);
In short: you need to be clear and transparent about the Why & How of each data collection.
A good practice to apply to make sure everyone understands? Inform your users in a clear and concise way. Explain to them as simply as possible the purpose and modalities of each data collection!
Without forgetting, of course, to remind them of the various rights they can assert at any time on their data!
Right of access, portability, rectification, opposition, deletion, complaint … We will decipher them together to help you see more clearly 😉
Access & management rights to their data
The data of your users concerns them directly. It is therefore logical and essential to allow them to consult and retrieve it if they wish! This is the very principle of access and portability rights.
Right of access and portability: what is the difference?
✓Right of access:each user has the right to ask you for access to the personal data collected about him/her. You must then provide him/her with a copy of this data within a short period of time, while respecting his/her right to information (specify in your e-mail the origin of the data, the purposes of the processing, the period of retention, etc.).
✓Right to portability: with this right, your users can retrieve and manage all or part of their data, either for personal use or for transfer to third-party providers. To respect this right, you must transfer your users’ data in a structured, commonly used and readable digital format (e.g. Excel spreadsheet).
Beyond the right of access and portability, your users have all the rights to manage the data you collect about them.
Because the main objective of the RGPD is to allow them to keep control and master their data!
It goes through the reminder & respect of their :
✓ Right of rectification: to correct inaccurate data (example: age, incorrectly entered last name…) or complete data (incomplete postal address…) in connection with the purpose of processing each data collected.
✓ Right to limit processing: to temporarily freeze the use of certain data. These data are then kept but can no longer be used, the time to take into account a request for rectification or opposition, for example.
✓ Right to object: to object at any time to the use of personal data collected.
There are two cases to be aware of for the right to object:
Commercial prospecting: In the case of collections made for commercial prospecting, this right applies automatically, unconditionally: no particular justification is required. You must immediately stop the use of the data mentioned by the requesting user.
Except for commercial prospecting: you keep a possible right of refusal of this request, which will however have to be justified to your user. You can invoke legitimate or compelling reasons, the consent of your user as a legal basis for the use of his data, or a contract binding you to the user in this specific context. The user may then withdraw his consent or breach your contract to re-examine his right to object.
The right to erase personal data
And after opposition… it’s theright to deletion!
You should know that your users have every right to ask you to delete the personal data you have collected about them!
Your user should specify in as much detail as possible which personal data should be deleted.
For the CNIL : “The exercise of this right does not entail the simple and definitive deletion of all data concerning [him/her].”
Like the right to object, this request does not need any particular justification to be valid if the data has been collected for commercial prospecting purposes.
Except for commercial prospecting, a person can exercise his right and request the deletion of his data when :
- It considers that the data is no longer necessary to pursue your purposes (reason for collecting its data has been fulfilled or is no longer valid, the “time limit for use” of its data has expired),
- He/she withdraws his/her consent for the use of his/her data,
- The data is processed unlawfully or must be deleted to comply with a new legal obligation.
If there is no legitimate or really critical reason to question this request, you just have to respect your user’s wish!
GDPR rights outside the European Union (EU): what you need to know
These rights apply to all organizations based in the EU.
But what about data processing outside of Europe?
As a reminder: The GDPR applies to all organizations processing personal data in the European Union (EU), but also to organizations offering goods/services to people residing in the European Union!
The RGPD therefore applies in 2 cases:
- If your organization is based in a country belonging to the European Union.
- If your organization directly targets users in the European Union.
Technically, Google, Facebook and other GAFAs are therefore obliged to respect the RGPD, just like you!
Whether you are a company based outside the EU targeting European users or conversely, a European organization targeting users outside Europe, these rights must be taken into account in your activities.
And outside the jurisdiction of the European Union?
Users outside the EU see their data protected differently.
For example, in the United States, in some cases, you cannot store European personal data.
For the CNIL, “The United States has national data privacy legislation and a data protection authority recognized by the Global Privacy Assembly.”
In the case of data transfer outside the EU:
You can transfer your users’ data outside the European Union provided you ensure a sufficient and appropriate level of data protection, via regulated tools (contractual clauses, code of conduct, certification or administrative arrangement).
In short: European personal data transferred to the U.S. or outside the European Union must be carefully managed with appropriate transfer tools and procedures.
But don’t panic! You can also continue to use the data you have collected while respecting the GDPR and the privacy of your users.
How to exploit data while respecting the privacy of your users?
Pseudonymization and anonymization of personal data
You are probably wondering if there is an alternative to deleting or stopping data collection? The answer is yes, and that is pseudonymization and anonymization!
The difference? One protects the data more than the other!
Protection Level 1: Pseudonymization – Pseudonymizing your users’ data consists of replacing directly identifying data (name, first name, etc.) with indirect identifiers (serial number, nickname, etc.). With the right reading code, it is however possible to find the identity of the person studied. This is the first level of protection!
Level of protection 2: Anonymization: “Anonymizing the data consists in “making impossible, in practice, any identification of the person by any means and in an irreversible way”. This is the highest level of protection and security! Properly done, it can allow you to continue processing collected personal data, without threatening the privacy of the persons concerned!
By preventing the data from being traced back to the target user, this process makes it possible to keep statistical data without jeopardizing the privacy of your users, and even beyond their retention period!
Convenient, right? And you know what’s even more convenient?
To be accompanied by a web agency to advise you on the best practices to follow, to respect the RGPD… as well as the comfort and the needs of your key users!
So, let’s set up a project together?
Beyond the RGPD… Discover our favorite fields of expertise!
Reminder – the 4 pillars of the GDPR:
1 –Purpose & Data Minimization – Collect only the data that is really necessary: what are your objectives? What data is really relevant, essential to fulfill them?
2 –Transparency– Informing users about the collection and use of their data: what data is collected? For what purpose? Who manages the collection and processing of this data?
3 –Rights– Knowing & respecting people’s rights on their data
4 –Confidentially & Security– Implement controlled access to collected data and security measures adapted to the sensitivity of the data processed
Sources, to learn more:
- Small bonus, our article on RGPD compliance is online!
- Find our RGPD FAQ!