GDPR #5: Data Subject Rights

March 15, 2018

Share on facebook
Share on google
Share on twitter
Share on linkedin

“Data Subject Rights” is the fifth in a series of topics in which we will discuss the potential impact of the GDPR on
your EU or global background screening processes. In this series, look for the  icon which will highlight specific
information regarding potential impact to First Advantage screening processes.

Recall that under the GDPR (as is the case today under existing law), Data Subjects are your prospective and/or
current employees, as the case may be. Existing data protection laws and the GDPR give Data Subjects specific
rights with respect to their personal information. Your organization, as a Data Controller, and First Advantage as a
Data Processor, may be required to take some kind of action when a Data Subject invokes these rights.

(1) Right of Access – Under current law, Controllers have been required to provide Data Subjects with access to
their personal information upon request by a Data Subject and this will continue to be true under GDPR.

So what is changing?

  • The most notable change under GDPR is that in addition to access to the information itself, there are expanded
    mandatory categories of information that must be provided in the response by the Data Controller such as:

    • the period of retention,
    • the existence of their rights as a Data Subject, and
    • the existence of their right to complain to data protection authorities, among others.
  • The GDPR requires that Subject Access Requests (“SARs”) be responded to by Data Controllers within one
    month (Article 12). Under current law, there is no specified time period but many EU Member States have
    set various time periods for response under their specific national data protection laws (e.g. 40 days under
    the current UK Data Protection Act). The GDPR will apply to all Member States and therefore there will no
    longer be any national variation and one month will be the national rule.
  • If requests are complex or voluminous there may be the possibility for extension of time. Also, there are
    situations where you may have the ability to ‘stop’ and ‘start’ the clock on such response time period depending
    on certain factors such as needing more information from the candidate in order to fulfill the request.
  • Controllers will also no longer be able to charge a fee to comply with a SAR under the GDPR, unless the
    request is ‘manifestly unfounded or excessive.’

 First Advantage has standard operating procedures in place to ensure that all requests received from
candidates for access to their personal information are referred to the appropriate customer as the Data
Controller, and handled promptly in accordance with the specific instructions received from you.

(2) Right to Erasure (the ‘Right to be Forgotten’) – A Data Subject’s right to request the erasure of their personal
information is not a new right created by GDPR. Under current law, Data Subjects have the right to request
that their personal information be erased or “blocked” where the Controller fails to comply with the law
(especially where the data are inaccurate or incomplete). The range of circumstances under which it can
be requested under GDPR is much broader. The newly coined ‘Right to be Forgotten’ means in practice that
Data subjects are entitled to require a Controller to delete their personal information if:

  • the data are no longer needed for the original purpose (and no new lawful purpose exists);
  • where the lawful basis for the processing is the Data Subject’s consent, the Data Subject withdraws that
    consent, and no other lawful ground exists;
  • the Data Subject exercises the right to object, and the Data Controller has no overriding grounds for
    continuing the processing;
  • the data has been unlawfully processed; or
  • erasure is necessary for compliance with EU law or the national law of the relevant Member State.

 In the event a candidate invokes their “Right to be Forgotten”, you (as Data Controller), if such request is
appropriate, can direct First Advantage to delete information pertaining to the processing of the candidate’s
background screening report.

(3) Transparent Communication – This right has been discussed in detail in our prior articles and essentially
means that the candidate is entitled to transparent communication regarding how you intend to process
their personal information.

(4) Right to Rectification – Data Subjects are entitled to require that Controllers rectify any errors in their personal
information without undue delay and upon request. The GDPR does not change this right significantly.

 Where a candidate’s request relates to background screening results obtained through First Advantage,
we can support you by reinvestigating to ensure that inaccurate or incomplete data are rectified where

(5) Right to Restrict Processing – In some circumstances, Data Subjects may be entitled to limit the purposes
for which the Data Controller can process their data, rather than erase personal information.

(6) Right of Data Portability – Data Subjects have the right to transfer personal information that they have
provided to one Data Controller to another Data Controller. Controllers are required to provide Data Subject
with their personal data in a structured, commonly used, machine-readable format where processing is
carried out by automated means, upon request.

 Because automated processing is unlikely to be the method you use to select your prospective employees,
this right is likely not relevant to personal information collected during the background screening process.

(7) Right to Object to Processing – Where a Data Subject objects to the processing of their personal
information (especially in the context of direct marketing), the Data Controller must stop processing that
data unless they can demonstrate compelling legitimate grounds to continue (e.g. such as pursuant to a
legal obligation).

(8) Right to Not be Evaluated on the Basis of Automated Processing – Data subjects have the right not to be
evaluated in any circumstance with legal or similarly significant effects solely on the basis of automated
processing of their personal information. This is unlikely to be relevant in the context of background screening.

Are You a Small Business?

Get started now with easy-order
background checks