GDPR Information Series #5: Data Subject Rights

“Data Subject Rights” is the fifth in a series of topics in which we will discuss the potential impact of the GDPR on your EU or global background screening processes. In this series, look for the  icon which will highlight specific information regarding potential impact to First Advantage screening processes.

Recall that under the GDPR (as is the case today under existing law), Data Subjects are your prospective and/or current employees. The GDPR gives Data Subjects specific rights with respect to their personal information. Your organisation, as a Data Controller, and First Advantage as a Data Processor, may be required to take some kind of action when a Data Subject invokes these rights.

1. Right of Access

Data Controllers are required to provide Data Subjects with access to, and get a copy of, their personal information upon request by a Data Subject.

  • In addition to access to the information itself, there are other mandatory categories of information that must be provided in the response by the Data Controller such as:
    • the purposes of the processing;
    • the categories of personal data concerned;
    • the period of retention,
    • the recipients or the categories of the data recipients,
    • the existence of automated decision-making, including profiling,
    • the existence of their rights as a Data Subject, and
    • the existence of their right to complain to data protection authorities, among others.
  • The GDPR requires that Subject Access Requests (“SARs”) be responded to by Data Controllers without undue delay and in any event within one month or receipt of the request (Article 12). The GDPR applies to all EU Member States and one month is thus a universal rule.
  • If requests are complex or voluminous there may be the possibility for extension of time, by two further months as long as the Data Subject is properly notified. Also, there are situations where you may have the ability to ‘stop’ and ‘start’ the clock on such response time period depending on certain factors such as needing more information from the candidate in order to fulfill the request, mainly to verify his or her identity.
  • Data Controllers are not able to charge a fee to comply with a SAR under the GDPR, unless the request is ‘manifestly unfounded or excessive’.
  • A Data Subject may make a SAR in writing or verbally, and even via social media. A third party can also exercise a SAR right on behalf of the Data Subject if is authorized to do so.

First Advantage has standard operating procedures in place to ensure that all requests received from Data Subjects for access to their personal information are referred to the appropriate customer as the Data Controller, and handled promptly in accordance with the specific instructions received from you.

Verification is required for You to identify the Data Subject in relation to a SAR. You can complete identity verification in one of several ways:

  1. Through communication with the Data Subject using the email address connected with the account.
  2. Through an authentication mechanism such as the use of the same credentials needed to log-in to Your system. That would be a sound alternative if there is any doubt concerning the identity of the natural person making the request though their email address.
  3. If the request is not made via the email used to sign up You which is already connected to the data, and You cannot confirm the Data Subject’s identity in other ways, then You could request that the data subject send a government issued ID.

Data Subjects can exercise their rights in any possible way, provided the request is not lodged in manifestly unfounded or excessive manner, and you are in the position to verify their identity.  This means that even when a request is sent to Your employee’s email and not to Your privacy mailbox, You must have processes in place that make sure the Data Subject’s request is forwarded to the responsible party.

2. Right to Erasure (the ‘Right to be Forgotten’)

A Data Subject’s right to request the erasure of their personal information is not a new right created by GDPR. Under the previous law, Data Subjects had the right to request that their personal information be erased or “blocked” where the Data Controller failed to comply with the law (especially where the data are inaccurate or incomplete). The range of circumstances under which it can be requested under GDPR is much broader. The newly coined ‘Right to be Forgotten’ means in practice that Data Subjects are entitled to require a Data Controller to delete their personal information if:

  • the data is no longer needed for the original purpose (and no new lawful purpose exists);
  • where the lawful basis for the processing is the Data Subject’s consent, the Data Subject withdraws that consent, and no other lawful ground exists;
  • where the lawful basis is something other than consent, the Data Subject exercises the right to object, and the Data Controller has no overriding grounds for continuing the processing;
  • the data has been unlawfully processed;
  • erasure is necessary for compliance with EU law or the national law of the relevant Member State; or
  • the personal data have been collected in relation to the offer of information society services where the consent has been given by a child.

The right is however not absolute and will not apply if the Data Controller needs to process the personal information as a matter of legal obligation or for the exercise or defense of the Data Controller’s legal claims.

 In the event a candidate invokes their “Right to be Forgotten”, you (as Data Controller), if such request is appropriate, must direct First Advantage to delete information pertaining to the processing of the candidate’s background screening report within one month as of the receipt of the request and inform the candidate about the erasure

3. Right to be informed

This right has been discussed in detail in our prior articles and essentially means that the candidate is entitled to transparent communication regarding how you intend to process their personal information, i.e. the candidate is entitled to receive a privacy notice with the information prescribed by the GDPR at the time of collection of the data or within a reasonable period (not later than one month) if the data is not collected directly from the Data Subject.

 First Advantage provides transparency regarding its processing of personal data for customers’ candidates and its own candidates as well, in the form of a Privacy Policy which can be viewed at https://fadv.com/privacy-center/non-us-residents/privacy-policies-by-region/, which includes country-specific policies such as our Privacy Policy for the European Economic Area and United Kingdom. This policy discusses our role as a Data Processor in greater detail.

When First Advantage operates as Data Processor on your behalf, you (as Data Controller) will then instruct First Advantage on what action to take as necessary. If the Data Subject directly contacts First Advantage, First Advantage will ensure that you as Data Controller is involved and aware of requests and/or concerns and provide us instruction to First Advantage.

4. Right to Rectification

Under the previous law, Data Subjects were already entitled to require that Data Controllers rectify any errors in their personal information without undue delay and upon request. This right ties in with the accuracy principle in our earlier blogpost. The GDPR has not changed this right significantly.

 Where a candidate’s request relates to background screening results obtained through First Advantage, we can support you by reinvestigating to ensure that inaccurate or incomplete data is rectified where appropriate. You should restrict processing of the concerned personal data while its accuracy is being verified.

5. Right to Restrict Processing

In the following circumstances, Data Subjects is entitled to request that the Data Controller restricts the processing of their personal data, rather than erase it:

  • the personal data is deemed inaccurate by the Data Subject, and is awaiting rectification​
  • the processing is unlawful, but the Data Subject opposes erasure​
  • the personal data is no longer needed by the Data Controller, but the Data Subject opposes erasure​
  • a decision is pending about a request to object​.

The Data Subject must be informed before restrictions are lifted unless this proves impossible or involves disproportionate effort. Personal data restricted from processing can only be processed with the Data Subject’s consent, to exercise legal claims, for the protection of the rights of another natural or legal person, or for reasons of important public interest.

 Where a candidate’s request relates to background screening results obtained through First Advantage, you should inform First Advantage about the request. Ensure you have appropriate technical and organisational measures in place to restrict data processing, e.g.: temporarily moving the data to another processing system or making the data unavailable to users.

6. Right of Data Portability

In situations whereby the processing is carried out by automated means, or the lawful basis for processing is consent or to perform a contract, Data Subjects have the right to transfer personal information that they have provided to one Data Controller to another Data Controller. Data Controllers are required to provide Data Subject, upon request, with their personal data in a structured, commonly used, machine-readable format.  The Data Subject can also request that the data be transferred from one Data Controller to another, if technically possible. The method of transferring the information requested must be secure.

Automated processing is generally not a method used to select prospective employees. Therefore, this right is likely not relevant to personal information collected during the background screening process.

7. Right to Object to Processing

Where a Data Subject objects to the processing of their personal information, the Data Controller must stop processing that data unless they can demonstrate compelling legitimate grounds to continue (e.g. such as pursuant to a legal obligation or demonstrate that processing is for exercise or defence of the legal claims). This law can only be exercised where the lawful basis for processing is performing task in the public interest or for the legitimate interest of the Data Controller.

8. Right to not be evaluated on the Basis of Automated Processing Alone

Data Subjects have the right not to be evaluated in any circumstance with legal or similarly significant effects solely on the basis of automated processing of their personal information. Again, this is unlikely to be relevant in the context of background screening if automated processing is not the sole basis for determining future employees.

Take note that these rights are not absolute, and some apply to all processing activities (such as the right of access) while others only apply in certain circumstances (such as the rights to erasure and portability).

Next in the GDPR Information Series…“Data Transfers”