Data subject rights – Part 12 of 13

Data protection laws are essential for safeguarding individuals’ privacy rights in the digital age. The General Data Protection Regulation (”GDPR”) is one such regulation that became effective in May 2018. It outlines data subject rights, among other provisions, which companies and organizations must follow to protect data subjects’ privacy.

Under the GDPR, data subjects have several rights that they can exercise concerning their personal data. These rights include the right to access, rectify, erase, restrict processing, data portability, and object to processing. These rights aim to give individuals more control over their personal data and how it is collected, processed, and used. The rights of data subjects are explained in Articles 12-22 of the GDPR.

• Right to access (Article 15): The right to access allows data subjects to request access to their personal data. Under Article 15 of the GDPR, data subjects have the right to know what personal data is being processed, how it is being processed, and why it is being processed. They can request a copy of their personal data in a electronic format.
• Right to rectification (Article 16): The right to rectification allows data subjects to have their personal data corrected or updated. If a data subject’s personal data is inaccurate or incomplete, they can request that the data be rectified.
• Right to erasure (Article 17): The right to erasure, also known as the right to be forgotten, allows data subjects to request the deletion of their personal data. If the data is no longer necessary for the purpose for which it was collected, or if the data subject withdraws their consent for its processing, the data must be deleted.
• Right to restrict processing (Article 18): The right to restrict processing allows data subjects to limit the processing of their personal data. If a data subject contests the accuracy of their personal data, or if the processing of the data is unlawful, they can request that the data be restricted.
• Right to be informed (Article 19): The right to be informed requires data controllers to provide data subjects with clear and concise information about how their personal data is being processed. Data controllers must inform data subjects of their rights under the GDPR.
• Right to data portability (Article 20): The right to data portability allows data subjects to obtain and reuse their personal data for their own purposes. They can request that their personal data be transferred from one data controller to another.
• Right to object (Article 21): The right to object allows data subjects to object to the processing of their personal data. They can object to processing for direct marketing purposes, scientific or historical research purposes, or for the performance of a task in the public interest.

💡 Intenseye can provide or delete all its customers’ data when it is demanded. The data is kept in relational databases, which can be identifiable by design per customer.

When dealing with security cameras and video surveillance systems, both data subject and data controller should pay attention to the points below while a data subject wants to exercise their rights:

• Video surveillance is one area where data subject rights under the GDPR are particularly relevant. When a data controller installs video surveillance systems, they are collecting and processing personal data of the individuals who are being recorded. Therefore, data controllers must adhere to the GDPR regulations when it comes to video surveillance.
• If a data subject wants to exercise their data subject rights in relation to video surveillance, they must provide specific information to the data controller. This includes the date and time they were in the area being recorded.
• When responding to data subject requests for access to their personal data, data controllers must provide the information within one month and at no charge. However, if the request is excessive, data controllers may refuse the request or apply charges to the data subject.
• Data controllers must also ensure that any video footage provided to data subjects does not contain any other individuals’ personal data, such as their faces or license plates. If there are other individuals in the video footage, data controllers must use irreversible deep learning algorithms to anonymize their faces.
• If data controllers cannot identify the data subject from the video footage, they are not obligated to share the data.

The GDPR outlines specific data subject rights that are relevant to video surveillance. When dealing with video surveillance, data controllers must ensure that they comply with GDPR regulations to protect the privacy and personal data of individuals. Data subject rights such as the right to access, right to erasure, and right to restrict processing are particularly relevant in video surveillance scenarios. Data controllers must be aware of these rights and ensure they respond to any data subject requests.

As we wrap up our comprehensive blog series on the GDPR and Video Surveillance, in the final post, intenseye CEO Sercan Esen will conclude the series and highlight our company’s unwavering commitment to data privacy.