The previous blog took one through the basic terminologies which are used in the context of data privacy and the reasons as to why we need Data Privacy in the first place. This blog will further explain the GDPR as to what kind of Rights a Data Subject has over their ‘personal data’ and special categories of personal data and what kind of liabilities and consequences arise when there is a violation of these rights.
Principles of collection of Data
- Restriction on Special categories of personal data: One of the first principle laid down by the GDPR for ensuring Data Privacy is barring the collection and processing of special categories of personal data. This means that an organization cannot collect an individual’s Biometric Information, Genetic Information, Authorized Government ID etc shall not be allowed, subjected to certain exceptions.
- Lawful collection: The data should be collected lawfully, and should be stored only till the point where it is necessary.
- Consent and Explicit Consent: The Data subject will have to provide with informed consent after being notified of its purposes, means and the amount of Data collected. In the cases where ‘Sensitive Personal Data’ needs to be collected an Explicit Consent will be required from the user. This ‘Explicit Consent’ is a specific form of consent which has all the features of Informed consent and explicitly informs the user of the various aspects attached to it and requires and express accent( like an OTP or a digital Signature). The consent provided can be withdrawn away at any time as well.
- Processing of special categories of personal data: Only in certain scenarios the special categories of personal data be processed. Scenarios such as where the data subject is incapable of giving consent but it is required for the benefit and safety or it is required for any Judicial Process.
- Implementing reasonable Security Practices: The data controller will have to implement the necessary and reasonable data security measured to safeguard and protect the personal data.
Rights of a data subject
- Right to Notice: Before the Personal data of Data subject is to be collected or the Data Subject has accessed the platform for the first time, the Subject needs to be informed of everything that is going to be done with their data such as sharing with the advertisers, improving services etc. It is the right of a Data subject to have a piece of knowledge about all the aspects and all the information which needs to disseminated by the Controller, as a notice. Can be found here.
- Right to be forgotten: The Data Subject has a Right to make the controller delete all the collected and processed data relating to the data subject if they wish to withdraw their consent to the collection of data. There are also certain other scenarios where one can exercise these rights and can be found here.
- Right to data portability: The data subject has a right to receive all their data collected and received by the Controller, in a properly structured and commonly used format. This right will also be inclusive of the scenario where the controller has to submit these data to another controller.
- Right to rectification: the data subject will also have to right to rectify any inaccurate information collected or provided to the data controller
- Right to a JUdicial remedy: Every data subject will have right to a judicial remedy i.e. to file a complaint or initiate judicial proceedings in the scenario where their right enshrined by the GDPR have been violated or there has been a contravention of the regulation in any other way.
Consequences and Liabilities of controller
- Compensation and liability: In the cases where a data subject has suffered a material or non- material damage, due to the infringement of the regulation, the Controller or Processor shall provide them with the compensation for the said damages.
- Penalties and administrative fines: While the circumstances of application of penalties are decided from a case to case basis and are governed by the principles mentioned here, a controller may be subjected to pay administrative fines up to 10million euros or 2% of their global annual turnover(whichever is greater).