Our guide to raising a query about the usage of your personal data.
Your personal data
As defined by the GDPR in Article 4.1, your personal data includes:
“…any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person…”
What that really means
That may seem like an onerous definition to swing your head around, but in many respects, it’s easier to understand when we define it like this: any information that can be linked back to you, and somehow identify you, is personal data. That includes (but is not limited to): your biometric data, address information, work particulars, and even the IP address your computer is using right now to access this very website.
Let’s remember why the GDPR framework and accountability systems have been set up: to improve your privacy, protect your personal information, and ensure that you remain fully informed around your rights to your personal data, and the usage of it, no matter what.
The companies you love
Data protection laws and regulations across the globe are a primary concern for many data processing companies, and yes, that includes every business you’re in touch with too. Data processing and personal data utilisation is not, however, as grey an area as one might think.
Your right to know
Any company, service provider, or business that is required to be compliant in terms of GDPR regulation, can only be truly compliant if they’re able to handle – and fully respond to – your query around the use of your personal data. You may have simple or significant reasons for raising a query around the use of your personal data.
The GDPR way
Article 15 of the GDPR grants and protects your rights to your personal data. As a data subject (that’s you, under the GDPR), your rights are intrinsically linked to the regulations related to identifying your personal data, and the grounds identified for the processing of it. As a regulatory framework for managing the processing of personal data, the GDPR embeds these rights for you and apportions the responsibilities related to a personal data processing to the companies and businesses you love, give your information to, and work with. Your rights as a data subject under GDPR regulations include:
- The right to be informed that your personal data is being gathered and used.
- The right to know what personal data is being collected and how it is collected.
- The right to withdraw your personal data from the systems and processes a company or business uses.
- The right to have your personal data deleted (and obtain proof that this has indeed been done).
- The right to prevent the processing of your personal data, if you are not satisfied with the reasoning for the collection and processing of your personal data.
- The right to have your personal data corrected, if it has been captured incorrectly.
- The right to object to the collection and processing of your personal data.
- The right to prevent automated systems from creating a profile around your personal data.
Flexing your personal data rights
As a framework that exists to preserve and ensure personal privacy, the GDPR similarly regulates and coordinates the way you can access information relating to the collection and usage of your personal data. Under GDPR regulations, a Data Protection Officer (DPO) must be appointed by an organisation, to manage and coordinate any queries relating to the way personal data is collected and used. Your first step to submitting a query is to find out who the company’s DPO is. Where an organisation is not compelled by the law to appoint a DPO, they should still provide a point of contact for data protection issues.
The company DPO
Once you’ve submitted a query to a company’s Data Protection Officer, they have up to 30 days to reply to you, outlining their reasons for collecting and using your personal data, or explaining why they won’t share this information with you. Oh, and before you worry about receiving an invoice for invoking this process, the GDPR has you covered: you can’t be charged for submitting this query, within reason. Should you ask for the same information repetitively, or excessively, the organisation you’re questioning may be allowed to charge you a fee.
Answering the big questions
For more information on data protection laws, and assistance with understanding the GDPR in an easy way, visit our Insights or learn more about Serity. At ProPrivacy, we help the companies you love to stay on the right side of regulation.
Philipa is the lead consultant and auditor at ProPrivacy. With clients as far afield as Canada, South Africa, Kenya, Germany, Spain and other such exotic locations, besides Cork and elsewhere in Ireland, Philipa enjoys a broad view of the state of data protection, privacy and cyber security worldwide. Philipa’s passion is manageable data compliance for SMEs.
Philipa is a qualified teacher besides holding a computer science (Bachelor of Science in Artificial Intelligence Programming) and electronic and intellectual property law (LLB) qualified. She is trained in constitutional (fundamental) rights litigation and enjoys a good debate.
Philipa has over twenty years of experience working in different sized organisations and sectors on operational, governance, risk management and compliance matters. She is an analytical and focused person that enjoys a challenge in the workplace. She loves technology, systems and people and has a passion for showing people how technology can make life easier and better. She understands that the world is driven by data today but privacy is paramount. Responsibly developed AI excites Philipa for the future.