SOLUTIONS BRIEF

Privacy Compliance

Guide to Managing Individual Rights

Best Practices and Tips on Meeting GDPR, CCPA and
other Regulatory Requirements for Individual Rights
and Data Subject Access Rights Requests

*Please note that this Solutions Brief is intended as a general overview of the subject and cannot be regarded as legal advice.

Perhaps the most customer facing and public compliance requirements for the GDPR and CCPA are around
the Rights of the Data Subject, often referred to as Individual Rights. Meeting these requirements are important
because non-compliance may result in unhappy customers and fines. While companies aren’t sure how many
requests or the types of requests they will receive, they need to be ready.

US +1 888 878 7830 | UK +44 203 078 6495 | FR +33 420 102 065 | DE +49 221 569 4412 | www.trustarc.com | © 2018 TrustArc 1
 Guide to Managing Individual Rights SOLUTIONS BRIEF

GDPR Chapter III, titled “Rights of the Data Subject”, Articles 12 - 23 outlines the following requirements:

Article 12* Transparent information, communication and modalities for the exercise of the rights of the data subject

Article 13* Information to be provided where personal data are collected from the data subject

Article 14* Information to be provided where personal data have not been obtained from the data subject

Article 15 Right of access by the data subject

Article 16 Right to rectification

Article 17 Right to erasure (‘right to be forgotten’)

Article 18 Right to restriction of processing

Article 19 Notification obligation regarding rectification or erasure of personal data or restriction of processing

Article 20 Right to data portability

Article 21 Right to object

Article 22 Automated individual decision - making, including profiling

Article 23 Restrictions

*The TrustArc Framework includes these three articles under Transparency because the notice requirements cover more than Individual Rights

While Chapter III of the GDPR has multiple requirements, many companies will already have controls in place
which address some of these articles. However, the GDPR expands upon some of the existing individual rights,
creating what may seem like “new” requirements. Three Articles that will seem like new requirements for many
companies are:

• the right to erasure (‘right to be forgotten’), Article 17

• the right to restriction of processing, Article 18
• the right to data portability, Article 20

With regard to the CCPA, enhanced individual rights (such as access and deletion), additional transparency
requirements, and required security measures are all causing companies to re-evaluate their security and data
management programs from the bottom up.

These rights may require companies to develop new processes and implement technology based solutions to
receive, escalate, and accommodate requests.

This Solutions Brief will focus on the requirements of GDPR Articles 17, 18, and 20 and similar CCPA requirements.
Each requirement will be summarized, including when it applies and any exceptions. The Solutions Brief also
includes an example along with tips for developing the required processes and potential solutions to deploy, and
how to comply using best practices. A comparison of some key GDPR and CCPA requirements is outlined in the
following table.

US +1 888 878 7830 | UK +44 203 078 6495 | FR +33 420 102 065 | DE +49 221 569 4412 | www.trustarc.com | © 2018 TrustArc 2
Guide to Managing Individual Rights
Privacy CCPA
Requirement Requirements
Individual The CCPA provides
Rights: consumers the rights
of access and data
portability.
Data
Consumers have the
Portability and
right to obtain from a
Data Access
business their personal
information, including the
categories and specific
pieces of information
collected;
the categories of third
parties with whom
information is shared;
and the categories of
sources from which the
information was.
Consumers also have
the right to obtain their
personal information in
a format that allows the
consumer to transmit it to
another organization.
Businesses need to
respond within 45 days.
Individual The CCPA provides
Rights: consumers the right of
deletion.
Deletion
Consumers may request
that businesses delete
the their personal
information.
US +1 888 878 7830 | UK +44 203 078 6495 | FR +33 420 102 065 | DE +49 221 569 4412 | www.trustarc.com | © 2018 TrustArc
GDPR
Requirements
The GDPR provides
individuals the rights of
access and data portability.
Individuals have the right to
receive confirmation from
a controller about whether
personal data about them
is being processed; and, if
so, additional information,
including the categories
of personal information
concerned;
the recipients or categories
of recipients with whom the
information have or will be
shared; and the purposes of
processing.
Organizations need to
respond within one month
of receipt of the request.
The GDPR provides
individuals the right of
deletion, or “the right to
erasure.”
Organizations need to
process deletion requests
within one month of receipt
of the request.
SOLUTIONS BRIEF
Best Practice
The GDPR and CCPA
both have the individual
rights of access and data
portability.
Ensure that these types
of requests are managed
and your processes
documented.
Review your current
process and mechanisms
that are in place to
respond to access
requests. Assess their
efficacy. Address
compliance gaps and
use technology solutions
to automate manual
processes to scale and
simplify.
The GDPR and the CCPA
both have deletion
obligations.
Review the types of data
your company retains,
and the legal bases for
processing it. Ensure
effective processes and
mechanisms are in place
to respond to deletion
requests. Address
compliance gaps and
use technology solutions
to automate manual
processes to scale and
simplify.
3
Guide to Managing Individual Rights SOLUTIONS BRIEF

GDPR Individual Rights Requirements

Article 17 - Right to Erasure (‘right to be forgotten’)

The GDPR includes what has become known as

the “right to be forgotten” and is reflected as such in
Article 17 states “The data subject shall have
the title of Article 17. The idea of completely erasing
the right to obtain from the controller without
records seems simple in concept, but it is difficult in
undue delay the rectification of inaccurate
actual practice. Aside from the societal concerns about
personal data concerning him or her…” this right, both for and against, the idea of deleting
data seems counterintuitive in the commercial realm.
On the individual side, the opportunity to erase your data from a particular company is relatively attractive,
especially with social media and marketing. On the corporate side, data is a commodity and in regions where
permitted, the data has been relied upon in either the business model directly or in supporting processes.

Commonly, controllers and processors share data. The coordination of erasure

The request for erasure may get convoluted, especially when one considers sub-processors and
should be completed historical data back ups. Unless the request is deemed impossible or requires
without undue delay. disproportionate effort, the controller must notify all processors to whom the
data has been shared. A common concern, and one that is likely to arise more
and more, is how to validate all data has been erased when it has been backed
up for years and perhaps even on systems which the company no longer has the technology to read the data.
Controllers and processors should keep this situation in mind when creating backup strategies.

When it comes to situations where the data has been independently replicated because the controller has made
the data public, the controller is required to make reasonable efforts to notify other controllers of the request.

When Article 17 is Applicable

The right to erasure applies in these situations (Article 17(1)) where:

(a) the personal data are no longer necessary in relation to the purposes for which they were collected
or otherwise processed;
(b) the data subject withdraws consent on which the processing is based according to point (a) of
Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;
(c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding
legitimate grounds for the processing, or the data subject objects to the processing pursuant to
Article 21(2);
(d) the personal data have been unlawfully processed;
(e) the personal data have to be erased for compliance with a legal obligation in Union or Member State
law to which the controller is subject;
(f) the personal data have been collected in relation to the offer of information society services referred
to in Article 8(1)

US +1 888 878 7830 | UK +44 203 078 6495 | FR +33 420 102 065 | DE +49 221 569 4412 | www.trustarc.com | © 2018 TrustArc 4
Guide to Managing Individual Rights SOLUTIONS BRIEF

Article 17 Examples

Practical Example

Possibly the most common example of when someone would want data erased is in social media.
Frequently, people post information they later wish could be removed - and removing it themselves
is not true erasure. But there are also other reasons - applicants for jobs who were not accepted, GPS
tracking, letters of complaint sent to companies - but in general, the concepts in the news and the
courts mainly relate to online searches and individuals wanting negative information to be removed.
One can see where this would be incredibly impactful in traumatic situations, such cases on non-
consensual pornography, cyberbullying, and online shaming. But the right applies in any of the
situations listed above, not just where there is a possibility of harm to the individual.

Article 17 Exceptions

This right to erasure, despite the popular misconception, is not absolute (Article 17(3)). The controller may refuse
to honor the request if continued processing is necessary:

(a) for exercising the right of freedom of expression and information;

(b) for compliance with a legal obligation which requires processing by Union or Member State law to
which the controller is subject or for the performance of a task carried out in the public interest or in
the exercise of official authority vested in the controller;
(c) for reasons of public interest in the area of public health in accordance with points (h) and (i) of
Article 9(2) as well as Article 9(3);
(d for archiving purposes in the public interest, scientific or historical research purposes or statistical
purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to
render impossible or seriously impair the achievement of the objectives of that processing; or
(e) for the establishment, exercise or defense of legal claims.

* Note: there may be other exemptions under member state law.

Thus, when a request for erasure is received, the company should review all instances of the data to which
the requests apply and determine the reasons why the company has retained the data. In particular, one
should note that a controller may be unaware of a reason to retain the data held by a processor, so there
needs to be a thorough conversation with processors before the determination to grant the request is
communicated back to the individual.

In particular, Recital 65, cautions us to be particularly vigilant when it comes to situations where a child
consented to processing (or did not consent but the data was collected), because a child would not
understand the risks involved. The individual can request the erasure at any time afterwards. The request
should be within a certain number of years after reaching adulthood.

US +1 888 878 7830 | UK +44 203 078 6495 | FR +33 420 102 065 | DE +49 221 569 4412 | www.trustarc.com | © 2018 TrustArc 5
Guide to Managing Individual Rights SOLUTIONS BRIEF

Article 18 - Right to Restriction of Processing

This right provides that individuals may request that their

Article 18 states: “The data subject data not be processed. Asserting this right can help those
shall have the right to obtain from the who would like their data erased, but the data cannot be
controller restriction of processing….” erased. This right prevents the personal data from being
used for most processing, other than simply storing the data
(exceptions provided below). When the individual is seeking
other rights and either the controller needs time to determine if the request can be granted or the individual
challenges the controller's denial of the request, this right becomes useful. Once the processing has ceased, the
controller must notify the individual before processing resumes, for whatever reason.

When Article 18 is Applicable

Data subjects may request and obtain cessation of processing (Article 18(1)) when:

(a) the accuracy of the personal data is contested by the data subject, for a period enabling the
controller to verify the accuracy of the personal data;
(b) the processing is unlawful and the data subject opposes the erasure of the personal data and
requests the restriction of their use instead;
(c) the controller no longer needs the personal data for the purposes of the processing, but they are
required by the data subject for the establishment, exercise or defence of legal claims;
(d) the data subject has objected to processing pursuant to Article 21(1) pending the verification
whether the legitimate grounds of the controller override those of the data subject.

Article 21 provides the legal bases of processing data, specifically legitimate interest and performance of a task
in the public interest or authority vested in the controller. Thus, if a controller establishes any of these reasons
for its processing of data, the individual has the right to object. A controller should be prepared to defend and
substantiate these bases, especially legitimate interest. Relying on legitimate interest requires a balancing of
interest against the “interests or fundamental rights and freedoms of the data subject which require protection of
personal data, in particular where the data subject is a child” (Article 6(f)).

US +1 888 878 7830 | UK +44 203 078 6495 | FR +33 420 102 065 | DE +49 221 569 4412 | www.trustarc.com | © 2018 TrustArc 6
Guide to Managing Individual Rights SOLUTIONS BRIEF

Article 18 Example

Practical Example

Given the high standards for relying on individuals’ consent, including the responsibilities and
consequences of individuals withdrawing consent, many controllers are now relying on legitimate
interest as their basis for processing personal data. This is a solid reason, but must have a
documented balancing test. An individual has a right to object to that processing.

A common example relates to email marketing. A third party (Party A) who may collect email
addresses for their own product offering, service, or activity may also sell those email addresses
to Party B without gaining consent from the individuals to do so. If that controller (Party A) has
determined that it is in their legitimate interests to sell those email addresses and have balanced
that against the risks to the individuals, consent is not needed. That legitimate interest only covers
the seller (Party A), not the purchaser (Party B) who may use it for email marketing. Certainly, the
entity who markets (Party B) must follow certain rules (Article 21), but the entity selling the list is
not engaged in email marketing. An individual may object to selling his data, even if the seller does
not know what the purchaser may do with it. Recital 47 states that the “processing of personal data
for direct marketing purposes may be regarded as carried out for a legitimate interest.” There are
further details in Article 21 on the right to object, especially addressing email marketing - but the
right to restrict processing applies even further up the chain.

Article 18 Exceptions:

The exceptions under this right are limited to the establishment, exercise, or defence of legal claims, to protect the
rights of another natural or legal person, or for important public interests. Storage does not count as an exception,
because 1) storage is the only processing that can be done if all others stop and 2) if storage was not allowed, it
would be data erasure.

1.

US +1 888 878 7830 | UK +44 203 078 6495 | FR +33 420 102 065 | DE +49 221 569 4412 | www.trustarc.com | © 2018 TrustArc 7
 Guide to Managing Individual Rights SOLUTIONS BRIEF

Article 20 - Right to Data Portability

This right supports the free flow of information, user control and empowerment, foster competition and
development of new services.1

In its simplest terms, this article requires controllers to provide an individual with their data in a way that the
individual can use it or send it to another controller without issues. All too often, a controller will provide
an individual access to their data, but send it to them in a manner that is not readable, such as in code or a
proprietary format. Also, companies tend to export data to competitors in a way that is not transferable. This
Article establishes controls on this process. Controllers now have to provide the data in a structured, commonly
used, and machine readable format and not hinder the transition to a new controller.

When Article 20 is Applicable

This right applies when the processing is based on consent, is done under contract in which the individual is a
party (or is part of the steps taken to enter into a contract), or the processing is automated. Specifically, the WP29
“considers that the right to data portability covers data provided knowingly and actively by the individual as well
as the personal data generated by his or her activity. This new right cannot be undermined and limited to the
personal information directly communicated by the individual, for example, on an online form.”

Article 20 Example

Practical Example

While there are many examples of this situation, common ones include purchase history of digital
books, movies, research, and music. These are common hosting solutions which provide storage
of data, generally in a format that cannot be easily transitioned (or restricted from transitioning) to
another hosting provider. The GDPR says not any more.

Article 20 Exceptions

Exceptions under this right are limited to processes in the public interest, exercise of official authority vested in the
controller, and if it impacts the rights and freedoms of others.

1. See Article 29 Data Protection Working Party. (2017). WP 242 rev.01: Guidelines on the right to data portability. Retrieved from https://ec.europa.eu/
newsroom/document.cfm?doc_id=44099

US +1 888 878 7830 | UK +44 203 078 6495 | FR +33 420 102 065 | DE +49 221 569 4412 | www.trustarc.com | © 2018 TrustArc 8
Guide to Managing Individual Rights SOLUTIONS BRIEF

How to Comply
Steps to comply

Ensure understanding of what data you process and where it resides.

Establish a process to intake requests (one that is easy on the individual and ensure this process is well-
communicated throughout the organization. A request may come in from many routes and the person
receiving that request needs to understand that a request is being made. Individuals typically won’t
understand or use the exact verbiage in the law.

Validate the individuals identity

Once the request is received, have a process to review it, evaluate the data referenced, the reasons for
processing the data, and evaluate any exceptions.

Have a response process.

Have an appeals process that goes beyond the individual whose request was denied.

Retain documentation throughout the process.

Best Practice Tips

Incorporate these rights into your Take your data inventory and data
privacy program and ensure there processing records a step further to
is an established process from envision requests made for that data.
beginning to end.

Work with your vendors to ensure Be helpful. This is not an adversarial

that these rights can be honored on process. These are rights provided to
their side and get documentation to individuals to protect their freedoms
validate that ability. and right to privacy.

US +1 888 878 7830 | UK +44 203 078 6495 | FR +33 420 102 065 | DE +49 221 569 4412 | www.trustarc.com | © 2018 TrustArc 9
Guide to Managing Individual Rights SOLUTIONS BRIEF

Case Study
This fictitious case study was written to highlight the best practice tips in a real life situation.

Tom is an individual in Europe who desires to straighten his teeth. He visits an orthodontist who takes impressions
of his teeth and facial photos. They decide to use clear aligners to straighten his teeth. A year later, he finished
his treatment and loved his new smile. He recalls those not-so-attractive photos that were sent with his dental
prescription for aligners and wants them to be erased. The aligner company is actually a medical device
manufacturing company who receives prescriptions. They have previously evaluated their data and relied upon a
medical information basis to retain data. Tom reaches out to them using a general contact form on their website.
When he did not hear back in two weeks, he emailed them again using other email addresses on their website,
one for investor relations and one for tech support. After another four days, he received a response from the
investor relations email which informed him his request would be routed to the right individual. After a week of no
further information, he wrote back. Eventually, a month after his first contact, he received an email stating that his
request was received, but that his information was submitted as part of a dental prescription and needed to be
retained. Tom talks to his orthodontist who questions whether the facial photos really need to be retained.

Again, it takes Tom a few weeks to get a response about how he can file an appeal. Tom looks up the GDPR and
sends the company an email explaining that he is now requesting processing of his information to stop until
the issue is reviewed to erase his information. He receives a response asking for his phone number so that a
member of the team can speak with him about his request. Tom provided it and had a conversation with the Data
Protection Officer. In the end (about 4 months later), Tom eventually received confirmation that his photos had
been permanently deleted.

What went wrong here? The company did not:

• Evaluate each piece of personal data for absolute necessity. The prescription and teeth impressions were
required as part of the dental prescription and subject to medical record retention requirements. The
photos were optional.
• Have a process to receive or evaluate requests.
• Have a plan for communication or respond in a timely fashion.

What went right? The company did:

• Have a DPO.
• Grant the request for no processing while they researched the issue (they weren’t doing anything active
with the records given the treatment had finished).
• Grant the request for erasure and confirmed the completion of the request.

If the Medical Device Manufacturer had an Individual Rights program in place, the process could have been
smoother. Efficiently managing numerous requests per month can be further enhanced through a technology
based solution designed to automate the process.

US +1 888 878 7830 | UK +44 203 078 6495 | FR +33 420 102 065 | DE +49 221 569 4412 | www.trustarc.com | © 2018 TrustArc 10
 Guide to Managing Individual Rights SOLUTIONS BRIEF

TrustArc Individual Rights Manager Solution

TrustArc Individual Rights Manager is part of the TrustArc Privacy Platform, which also provides solutions to
help companies achieve and manage ongoing GDPR and CCPA compliance including: Data Mapping, DPIA
Management, Cookie Consent, Tracker Scanning and AdChoices Preferences.

Individual Rights Manager can help your company with GDPR and CCPA compliance with regard to data subject
access rights. This comprehensive 3-in-1 solution combines proven technology with specialized assessments
developed by our privacy experts, and access to consulting services to help develop processes.

• Proven Technology - Easy to implement ,

customizable solution enabling users to submit
individual rights requests and companies to
efficiently manage review and follow-up.

• Specialized Content - Comprehensive set

of regulatory assessment questionnaires to
help companies understand which individual
rights apply to their processing, along with
recommended remediations and a case
management workflow.

• Expert Consulting - Access to expert

consultants to help develop a streamlined
and sustainable process for responding to
individuals’ access requests.

US +1 888 878 7830 | UK +44 203 078 6495 | FR +33 420 102 065 | DE +49 221 569 4412 | www.trustarc.com | © 2018 TrustArc 11
Guide to Managing Individual Rights SOLUTIONS BRIEF

Conclusion
Both the GDPR and CCPA require companies to think differently about their customers and how personal data is
used. Transparency and communication about where a customer's data goes or what it's used for is necessary
to doing business in the digital age. The new regulations signal a shift in expectations between customers
and companies, and so companies will have to work harder to gain and keep customer trust. Companies who
provide customers more control and choice over their data can build customer relationships by using that as a
competitive edge.

About TrustArc
TrustArc, the leader in privacy compliance and data protection for over two decades, offers an unmatched
combination of innovative technology, expert consulting and TRUSTe certification solutions, that together
address all phases of privacy program management. The TrustArc Platform, fortified over eight years of operating
experience, across a wide range of industries and client use cases, along with our extensive services, leverage
deep privacy expertise and proven methodologies, which have been continuously enhanced through thousands
of customer engagements. Headquartered in San Francisco, and backed by a global team across the Americas,
Europe, and Asia, TrustArc helps customers worldwide demonstrate compliance, minimize risk and build trust.

For more information, visit the TrustArc website, blog and LinkedIn.

US +1 888 878 7830 | UK +44 203 078 6495 | FR +33 420 102 065 | DE +49 221 569 4412 | www.trustarc.com | © 2018 TrustArc 12