The European Union’s General Data Protection Regulation, or GDPR, strengthens and clarifies user rights, going further than the current data protection directive to give internet users in the EU protection when using apps and software. Controllers of personal data will have even more strict rules to comply with and will face penalties for noncompliance with GDPR rules.
Here are four items your EU customer has a right to when using your app.
The Right to Restrict Processing
This right allows for user data to be blocked from further processing. Essentially, the storing of data is allowed in this case, as long as the data isn’t being processed anymore.
Here are some situations where this right can be invoked by a consumer: when the individual has contested the accuracy of the data; when the individual requests restriction due to unlawful processing; or when the data is no longer needed but the user does not want it removed because it must be kept intact due to ongoing legal situations.
The Right to Be Informed
The right to be informed requires transparency in how personal data is used. You must provide users with a privacy policy written in clear language that’s easy to understand.
These are some of the details that must be provided to users: controller’s identity and contact details; purpose and legal basis for processing of data; retention period of data; detailed information about the recipients of the data; information about filing a complaint; information on whether automatic profiling is taking place; and a summary of the significance of such profiling.
The Right to Be Forgotten
Image via Flickr by jnyemb
The right to be forgotten, also referred to as the right of erasure, allows users to request the removal of personal data and to prevent further processing of such data. It only applies in certain circumstances, however.
The main reasons users would be able to request removal of personal data include situations in which the data was unlawfully processed in the first place; when legal considerations come into play; when the data is no longer applicable to the reason it was initially collected; or when the individual withdraws consent.
Protections for children’s personal information are even more stringent. If personal data has been disclosed to third parties and the consumer has requested removal of data, app providers must make a reasonable effort to inform those parties.
The Right to Data Portability
The right to data portability lets users access their data and use it for their own purposes. Here’s an example of when a consumer may want to do this: A consumer may decide to use the personal data that has been collected by one service by giving it to another app that analyzes spending habits. The idea is that the consumer also has the right to benefit directly from his or her personal data.
The right to data portability applies to consumer data: that has been provided to a controller; when the data processing occurs automatically; and when consent has been given by the individual.
These are some of the main points of the new GDPR standards, which greatly improve consumer protections already in place in the EU through the current data protection rules.