Share

Rights and obligations under EU's data protection rules

The EU's stringent data protection rules have bolstered the rights of European citizens and imposed new responsibilities on companies since coming into force a year ago.

Here is an explainer on the rights and obligations entailed under the General Data Protection Regulation (GDPR), which launched on May 25, 2018.

Power to the people

These are the main rights guaranteed to European internet users under the GDPR.

1. The right to be informed. Internet users who hand over personal data have the right to know how it will be used, how long it will be kept and whether it might be used outside the European Union.

2. The right to access, correct and erase data. Users are able to transfer their data to another service provider or receive it themselves in a usable format.

3. The right to be forgotten. Users can ask that they no longer appear in searches, although this right is also balanced against the public's right to know.

4. The right to challenge algorithms. If algorithms play an important role in decisions, such as admission to universities, those affected have the right to challenge the decision and request human intervention.

5. The right to contest violations of rights. Each country's information rights agency accepts complaints. If the complaint concerns a company in another EU state, it is to be transferred to the regulator in that country. Final decisions taken by all the national agencies together are binding across the EU.

Rules for companies

For companies, the regulations are not one-size-fits-all. Their obligations depend on what kind of data they collect, what they do with it and their size. It doesn't matter if they are European firms or not - if they collect data from Europeans then the GDPR applies to them.

For most small and medium-sized businesses the regulations simply protect the information they have on their clients and suppliers using the "rules of common sense", in the words of France's data protection agency CNIL.

One of the GDPR's main objectives is to reduce the amount of data being collected and processed from the start.

This means that firms should evaluate what data they really need, and then how to protect it. The information should then be updated regularly.

Clients and subcontractors should also be informed about what data is being collected and what for, as well as how they can exercise their rights.

Companies also need to set out policies on who has access to data and how, designate who is responsible for data protection and put into place all necessary measures to safeguard the data, particularly sensitive information.

Firms also have the right to appeal to their national data regulator.

We live in a world where facts and fiction get blurred
Who we choose to trust can have a profound impact on our lives. Join thousands of devoted South Africans who look to News24 to bring them news they can trust every day. As we celebrate 25 years, become a News24 subscriber as we strive to keep you informed, inspired and empowered.
Join News24 today
heading
description
username
Show Comments ()
Rand - Dollar
18.93
+0.0%
Rand - Pound
23.90
+0.0%
Rand - Euro
20.41
+0.1%
Rand - Aus dollar
12.32
+0.1%
Rand - Yen
0.13
+0.0%
Platinum
908.05
+1.2%
Palladium
1,014.94
0.0%
Gold
2,232.75
-0.0%
Silver
24.95
-0.1%
Brent Crude
87.00
+1.8%
Top 40
68,346
0.0%
All Share
74,536
0.0%
Resource 10
57,251
0.0%
Industrial 25
103,936
0.0%
Financial 15
16,502
0.0%
All JSE data delayed by at least 15 minutes Iress logo
Company Snapshot
Editorial feedback and complaints

Contact the public editor with feedback for our journalists, complaints, queries or suggestions about articles on News24.

LEARN MORE
Government tenders

Find public sector tender opportunities in South Africa here.

Government tenders
This portal provides access to information on all tenders made by all public sector organisations in all spheres of government.
Browse tenders