GDPR Information Series #5: Data Subject Rights

July 1, 2020

“Data Subject Rights” is the fifth in a series of topics in which we will discuss the potential impact of the GDPR on your EU or global background screening processes. In this series, look for the first advantage globe icon icon which will highlight specific information regarding potential impact to First Advantage screening processes.

Recall that under the GDPR (as is the case today under existing law), Data Subjects are your prospective and/or current employees. Existing data protection laws and the GDPR give Data Subjects specific rights with respect to their personal information. Your organisation, as a Data Controller, and First Advantage as a Data Processor, may be required to take some kind of action when a Data Subject invokes these rights.

(1) Right of Access – Under current law, Controllers have been required to provide Data Subjects with access to their personal information upon request by a Data Subject and this will continue to be true under GDPR.

So what is changing?

  • The most notable change under GDPR is that in addition to access to the information itself, there are expanded mandatory categories of information that must be provided in the response by the Data Controller such as:
    • the period of retention,
    • the existence of their rights as a Data Subject, and
    • the existence of their right to complain to data protection authorities, among others.
  • The GDPR requires that Subject Access Requests (“SARs”) be responded to by Data Controllers within one month (Article 12). Under current law, there is no specified time period but many EU Member States have set various time periods for response under their specific national data protection laws (e.g. 40 days under the current UK Data Protection Act). The GDPR will apply to all Member States and therefore there will no longer be any national variation and one month will be the national rule.
  • If requests are complex or voluminous there may be the possibility for extension of time. Also, there are situations where you may have the ability to ‘stop’ and ‘start’ the clock on such response time period depending on certain factors such as needing more information from the candidate in order to fulfill the request.
  • Controllers will also no longer be able to charge a fee to comply with a SAR under the GDPR, unless the request is ‘manifestly unfounded or excessive.’

first advantage globe icon First Advantage has standard operating procedures in place to ensure that all requests received from candidates for access to their personal information are referred to the appropriate customer as the Data Controller, and handled promptly in accordance with the specific instructions received from you.

(2) Right to Erasure (the ‘Right to be Forgotten’) – A Data Subject’s right to request the erasure of their personal information is not a new right created by GDPR. Under current law, Data Subjects have the right to request that their personal information be erased or “blocked” where the Controller fails to comply with the law (especially where the data are inaccurate or incomplete). The range of circumstances under which it can be requested under GDPR is much broader. The newly coined ‘Right to be Forgotten’ means in practice that Data subjects are entitled to require a Controller to delete their personal information if:

  • the data are no longer needed for the original purpose (and no new lawful purpose exists);
  • where the lawful basis for the processing is the Data Subject’s consent, the Data Subject withdraws that consent, and no other lawful ground exists;
  • where the lawful basis is something other than consent, the Data Subject exercises the right to object, and the Data Controller has no overriding grounds for continuing the processing;
  • the data has been unlawfully processed; or
  • erasure is necessary for compliance with EU law or the national law of the relevant Member State.

first advantage globe icon In the event a candidate invokes their “Right to be Forgotten”, you (as Data Controller), if such request is appropriate, can direct First Advantage to delete information pertaining to the processing of the candidate’s background screening report.

(3) Transparent Communication – This right has been discussed in detail in our prior articles and essentially means that the candidate is entitled to transparent communication regarding how you intend to process their personal information.

(4) Right to Rectification – Data Subjects are entitled to require that Controllers rectify any errors in their personal information without undue delay and upon request. The GDPR does not change this right significantly.

first advantage globe icon Where a candidate’s request relates to background screening results obtained through First Advantage, we can support you by reinvestigating to ensure that inaccurate or incomplete data are rectified where appropriate.

(5) Right to Restrict Processing – In some circumstances, Data Subjects may be entitled to limit the purposes for which the Data Controller can process their data, rather than erase personal information.

(6) Right of Data Portability – Data Subjects have the right to transfer personal information that they have provided to one Data Controller to another Data Controller. Controllers are required to provide Data Subject with their personal data in a structured, commonly used, machine-readable format where processing is carried out by automated means, upon request.

first advantage globe icon Automated processing is generally not a method used to select prospective employees. Therefore, this right is likely not relevant to personal information collected during the background screening process.

(7) Right to Object to Processing – Where a Data Subject objects to the processing of their personal information, the Data Controller must stop processing that data unless they can demonstrate compelling legitimate grounds to continue (e.g. such as pursuant to a legal obligation).

(8) Right to not be evaluated on the Basis of Automated Processing – Data subjects have the right not to be evaluated in any circumstance with legal or similarly significant effects solely on the basis of automated processing of their personal information. Again, this is unlikely to be relevant in the context of background screening.

Next in the GDPR Information Series…“Data Transfers”

 

About First Advantage

First Advantage provides comprehensive background screening, identity and information solutions that give employers access to actionable information that results in faster, more accurate people decisions. With an advanced global technology platform and superior customer service delivered by experts who understand local markets, First Advantage helps customers around the world build fully scalable, configurable screening programs that meet their unique needs. Headquartered in Atlanta, Georgia, First Advantage has offices throughout North America, the United Kingdom, Asia and the Middle East.

Information Content Notice

Although the foregoing has been authored by the First Advantage Global Legal Compliance Team, we are not authorised to provide your organisation with legal advice because First Advantage is not a law firm.

The foregoing information is rather provided in a spirit of partnership as helpful information on the possible impacts associated with GDPR.

Please share this document with legal counsel familiar with your organisation and who has expertise in GDPR compliance. Given the substantial financial penalties associated with GDPR compliance and their possible impact on your revenue, legal review is an essential part of your organisation’s preparation for GDPR compliance.

Current as of June 2020
© 2020 First Advantage Corporation