Requirements of the GDPR, Part 3 (Many Other Requirements)


The specific requirements under the GDPR are many and varied. Other requirements include, in brief:

  • Article 15. Right of Access by the Data Subject, A data subject has the right to ask a data controller whether his or her personal data is being processed, and if so, can request access to both the personal data and information on processing, recipients, data transfers, and subsequent rights (such as the right to complain to a supervisory authority, or the right to request rectification, erasure, or a restriction on future processing). Data subjects have the right to know if and when their data is transferred to a third country or an international organisation, along with the safeguards in place to ensure ongoing protection of the data after transfer. A data controller must provide a copy of any personal data undergoing processing at no charge the first time it is requested, but has the right to charge “a reasonable fee based on administrative costs” for subsequent requests.
  • Article 16. Right to Rectification, If a data controller holds inaccurate personal data about a data subject, the data subject has the right to supply the correct information to get their personal data updated. The data controller is required to rectify the inaccurate information "without undue delay."
  • Article 17. Right to Erasure (Right to be Forgotten) Subject to certain conditions, a data subject has the right to request the erasure of his or her personal data held by a data controller. Conditions include the withdrawal of consent, previous unlawful processing, and other legal compliance erasure mandates. Data controllers, on the other hand, have the ability under the GDPR to decline an erasure request if it falls within one of the several exclusions in Article 17(3), such as compliance with a legal obligation, public interest for public health, and legal claims. Nonetheless this requires that organizations have a very clear legal understanding of why they are processing data, the appropriate legal bases, and when required, a technological ability to erase all affected data promptly.

  • Article 18. Right to Restriction of Processing, As with the right to erasure, subject to certain provisions, a data subject also has the right to have his or her personal data excluded from future processing activities - either temporarily or permanently. Conditions include contested data accuracy, unlawful processing, and the desire of the data subject to be excluded from processing activities but to not have their personal data erased for various legal and historical reasons.
  • Article 19. Notification Obligation for Controllers, A data controller has the obligation to notify each recipient of any personal data newly impacted by the exercise of a data subject's rights in relation to rectification, erasure, or restriction. If the data subject requests details on recipients, the data controller is required to supply it.
  • Article 21. Right to Object, A data subject has the right to object to the processing of his or her personal data at any time where the legal basis is "the performance of a task carried out in the public interest," "the exercise of official authority vested in the controller," or for the purposes of the "legitimate interests" of the controller or a third party (Article 6(e) and (f)). The data subject can also object to processing for the purposes of direct marketing and profiling for direct marketing activities.
  • Article 22. Automated individual decision-making, including profiling, Data subjects can object to automated processing and profiling based on their personal data, and at minimum have the right to "obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision." This right is designed to stop data controllers making legal and other significant decisions regarding a data subject purely on an automated basis.
  • Article 28. Processor Requirements, If a data controller engages another organization for processing activities, the processor must have implemented “appropriate technical and organizationalmeasures” to meet the requirements of the regulation, and in addition to other specific requirements, must assist the controller in responding to requests related to the rights of data subjects.
  • Article 30. Records of Processing Activities, Data controllers must keep records of the processing activities for which they are responsible, with a list of specific information to be retained for each record.
  • Article 32. Security of Processing Data controllers are required to implement technical and organizational measures to ensure an appropriate level of security is in place for processing activities, such as pseudonymization, encryption, regular testing of organizational and technical measures, and more.
  • Articles 44-50. Transfers of Personal Data to Third Countries or International Organizations, The GDPR outlines specific requirements governing when and where personal data can be transferred to third countries or international organizations. While Safe Harbor was determined to be invalid in late 2015, it was replaced by the EU-US Privacy Shield framework as of mid-2016. The goal of the framework is to permit US companies to transfer data on EU residents while still maintaining the protections afforded under the GDPR.

Most Organizations are not Prepared for the GDPR