Who is a Data Subject
- An identified or identifiable natural person who is subject of personal data.
- Any living person whose personal data is being collected, held or processed by an organization. Eg. Employees, Customers etc.
Data Subject rights are designed to give individuals more control over their personal data.
Below is a summary of the main data subjects’ rights:
a) Right to be informed – This is done at the point of data collection; individuals needs to be informed:-
- On how data will be used
- How long it will be kept
- Whether it will be shared with any third parties
- Any changes to original purpose
This information must be communicated concisely and in plain language.
b) Right to access personal data.
- Data subjects have the right to access their personal data. This allows them to be aware and verify the lawfulness of processing.
- Organizations are to respond within seven (7) days of receipt of request
- Requests shall be free of charge
c) Right to correction of false or misleading data
Data subjects may request correction of any data being held by a data controller or processor that is
- Inaccurate
- Untrue
- Outdated
- Incomplete
- Misleading
This must be supported by relevant documents, an organization shall rectify within fourteen (14) days and requests shall be free of charge.
Where declined, the data processor or controllers shall: Notify data subject of refusal and provide reasons for decline.
d) Right to deletion of false or misleading data.
A data subject may submit a request for deletion of data, that is:
- No longer authorized to retain
- Irrelevant
- Excessive
- Obtained unlawfully
Where a controller has shared with third parties for processing purposes, the processor shall erase or destroy as requested. Where data is required for evidence, controller/processor can decline and instead; restrict its processing and inform subject within reasonable time.
e) Right to object to processing
Data subject may submit a request to the processor or controller not to process;
- All or part of their data
- Generally, or for a specified purpose
- Objection is absolute where processing is for direct marketing
Controller/Processor shall communicate in writing to the person and provide reasons for objection
f) Right to data portability
Data subjects have the right to obtain and reuse their personal data for their own purposes across different services. This allows them to move, copy, or transfer personal data easily from one IT environment to another in a safe and secure way.
Processor / Controller should act within thirty (30) days of receipt of the request.
The right to data portability only applies:
- To personal data that an individual has personally provided
- Where processing is based on consent or performance of a contact
- Where processing is carried out by automated means.
g) Automated processing or decision making.
Individuals have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.
h) Right to erasure.
This is also known as right to be forgotten. Request for erasure if:
- The data is no longer necessary for the purpose for which it was originally collected.
- Individual withdraws their consent
- Individual objects to the processing of their data
- The processing has been unlawful
- The processing of data is for direct marketing and the individual objects
- Required to comply with a legal obligation
Controller/Processor shall respond within fourteen (14) days
- Written by Doreen Khamala, Marketing and Communications Executive.