New EU General Data Protection Regulation: Advice Note 4 (Data Subject Rights and New Processor/Controller Obligations)

Katherine EvansSenior Partner, Mirkwood Evans Vincent

In this our fourth blog about the GDPR, I am going to look at the rights of data subjects in relation to the processing, amendment and erasure of their data; and some of the new obligations on processors and controllers. Also, to continue the theme from the previous blogs, I am going to compare the GDPR provisions with the corresponding provisions in the existing EU Directive 95/46EC (the “Original EU Data Protection Directive”).

The Right to be Forgotten

Article 12 of the Original EU Data Protection Directive gave data subjects a right to access their data but the key remedy was identified as a right to have inaccurate data amended. The right to have data erased was mentioned but the grounds for erasure were not well described.

Article 17 of GDPR on the other hand, gives a clear right for a data subject to be “forgotten” (ie to have their data permanently deleted).

Even where the data controller justifies the processing on grounds that it is necessary either (a) to protect the vital interests of the data subject, (b) for the public interest or pursuant to official authority, or (c) for the legitimate interests of the data controller, Article 19 of the GDPR now now shifts the burden of proof to the data controller to demonstrate that these requirements outweigh the right of the data subject to be free from the processing.

Profiling and Automated Decision Making

Article 15 of the Original EU Data Protection Directive provided that important decisions about a person could not be made on the basis of automated processing alone. This concept is repeated in Article 20 of GDPR but the language now is more detailed alongside the GDPR’s broader focus on informed consent, and ensuring that appropriate non-automated safeguards are in place to ensure fair processing on an ongoing basis.

Privacy by Design

Article 23 of GDPR formally introduces the concept of “privacy by design”, which should already be familiar to app developers. The concept involves the consideration of factors such as what data is really required to provide particular services or functions, and who really needs to see that data and why. Where data processing is likely to be automated or intensive or intrusive, there are also now requirements at Article 33 of GDPR to carry out a formal data protection assessment.

Data Portability

The concept of data portability does not appear in the Original EU Data Protection Directive. However, in a world where a subject’s personal data is held in multiple databases, the argument runs that this data should be transferable from one service provider to another in a bid to increase consumer choice. In support of this line of reasoning, Article 18 of the GDPR introduces the concept of a data subject right to portability of their data at their request.

Records of Data Held and Processed

Article 28 of GDPR introduces an obligation on both controllers and processors, to keep records on for example, what data they hold, how it is collected, where is it collected from, for how long is it retained, and who has access to it and why.

Breach Notification

Breach notification rules have been variously applied at a national level. Article 31 of GDPR now introduces a mandatory requirement on controllers and processors to notify data breaches to the supervisory authority in each affected country within 72 hours of the breach occurring, unless the controller/processor can demonstrate that the breach was unlikely to result in any risk to the data subjects. Additional notifications directly to affected individuals are required “without undue delay” under Article 32 of GDPR where there would be a high risk to the data subjects if those individuals were not separately notified.

Data Protection Officer: To Appoint or Not to Appoint

The appointment of a data protection officer as a mandatory or optional requirement has historically varied on a country by country basis. Article 35 of GDPR now provides that the appointment of a data protection officer is compulsory where the processing is carried out by a public authority, or where it involves either (a) large scale monitoring of data on a regular or systematic basis, or (b) large scale processing of one or more of the “special categories” of personal data referenced in Article 9 of GDPR (ie personal data revealing race or ethnic origin, political opinions, religion or beliefs or trade union membership; the processing of genetic data or data concerning health or sex life, criminal convictions or related security measures).

If your business needs more information about GDPR or if you need to update your policies or procedures in anticipation of GDPR, please contact or visit our website at