• Customers
  • Candidates
  • Contact
  • Call 844.718.0087

Resources

Blog

Home > Resources Overview > Blog > #5: Data Subject Rights

#5: Data Subject Rights

March 15, 2018

“Data Subject Rights” is the fifth in a series of topics in which we will discuss the potential impact of the GDPR on your EU or global background screening processes. In this series, look for the  icon which will highlight specific information regarding potential impact to First Advantage screening processes.

Recall that under the GDPR (as is the case today under existing law), Data Subjects are your prospective and/or current employees, as the case may be. Existing data protection laws and the GDPR give Data Subjects specific rights with respect to their personal information. Your organization, as a Data Controller, and First Advantage as a Data Processor, may be required to take some kind of action when a Data Subject invokes these rights.

(1) Right of Access – Under current law, Controllers have been required to provide Data Subjects with access to their personal information upon request by a Data Subject and this will continue to be true under GDPR.

So what is changing?

  • The most notable change under GDPR is that in addition to access to the information itself, there are expanded mandatory categories of information that must be provided in the response by the Data Controller such as:
    • the period of retention,
    • the existence of their rights as a Data Subject, and
    • the existence of their right to complain to data protection authorities, among others.
  • The GDPR requires that Subject Access Requests (“SARs”) be responded to by Data Controllers within one month (Article 12). Under current law, there is no specified time period but many EU Member States have set various time periods for response under their specific national data protection laws (e.g. 40 days under the current UK Data Protection Act). The GDPR will apply to all Member States and therefore there will no longer be any national variation and one month will be the national rule.
  • If requests are complex or voluminous there may be the possibility for extension of time. Also, there are situations where you may have the ability to ‘stop’ and ‘start’ the clock on such response time period depending on certain factors such as needing more information from the candidate in order to fulfill the request.
  • Controllers will also no longer be able to charge a fee to comply with a SAR under the GDPR, unless the request is ‘manifestly unfounded or excessive.’

 First Advantage has standard operating procedures in place to ensure that all requests received from candidates for access to their personal information are referred to the appropriate customer as the Data Controller, and handled promptly in accordance with the specific instructions received from you.

(2) Right to Erasure (the ‘Right to be Forgotten’) – A Data Subject’s right to request the erasure of their personal information is not a new right created by GDPR. Under current law, Data Subjects have the right to request that their personal information be erased or “blocked” where the Controller fails to comply with the law (especially where the data are inaccurate or incomplete). The range of circumstances under which it can be requested under GDPR is much broader. The newly coined ‘Right to be Forgotten’ means in practice that Data subjects are entitled to require a Controller to delete their personal information if:

  • the data are no longer needed for the original purpose (and no new lawful purpose exists);
  • where the lawful basis for the processing is the Data Subject’s consent, the Data Subject withdraws that consent, and no other lawful ground exists;
  • the Data Subject exercises the right to object, and the Data Controller has no overriding grounds for continuing the processing;
  • the data has been unlawfully processed; or
  • erasure is necessary for compliance with EU law or the national law of the relevant Member State.

 In the event a candidate invokes their “Right to be Forgotten”, you (as Data Controller), if such request is appropriate, can direct First Advantage to delete information pertaining to the processing of the candidate’s background screening report.

(3) Transparent Communication – This right has been discussed in detail in our prior articles and essentially means that the candidate is entitled to transparent communication regarding how you intend to process their personal information.

(4) Right to Rectification – Data Subjects are entitled to require that Controllers rectify any errors in their personal information without undue delay and upon request. The GDPR does not change this right significantly.

 Where a candidate’s request relates to background screening results obtained through First Advantage, we can support you by reinvestigating to ensure that inaccurate or incomplete data are rectified where appropriate.

(5) Right to Restrict Processing – In some circumstances, Data Subjects may be entitled to limit the purposes for which the Data Controller can process their data, rather than erase personal information.

(6) Right of Data Portability – Data Subjects have the right to transfer personal information that they have provided to one Data Controller to another Data Controller. Controllers are required to provide Data Subject with their personal data in a structured, commonly used, machine-readable format where processing is carried out by automated means, upon request.

 Because automated processing is unlikely to be the method you use to select your prospective employees, this right is likely not relevant to personal information collected during the background screening process.

(7) Right to Object to Processing – Where a Data Subject objects to the processing of their personal information (especially in the context of direct marketing), the Data Controller must stop processing that data unless they can demonstrate compelling legitimate grounds to continue (e.g. such as pursuant to a legal obligation).

(8) Right to Not be Evaluated on the Basis of Automated Processing – Data subjects have the right not to be evaluated in any circumstance with legal or similarly significant effects solely on the basis of automated processing of their personal information. This is unlikely to be relevant in the context of background screening.

STAY UP TO DATE WITH BEST PRACTICES, NEW SOLUTIONS AND SPECIAL OFFERS.
First Name is Required
Email is Required
Thank you for signing up! You will receive an email with further instruction. Your signup did not succeed. Please try again.
<
>
Contact
Top