GDPR Response on Auto Decision Making-Restriction on Processing Template - Rejected
Introduction
The GDPR stipulates that every data subject whose personal data is being collected by an organization has the right to request that the organization not affect any automatic decision-making capabilities on their data. This can include decisions made by AI, algorithms and any automated processes that don't require human intervention. This also includes profiling of any kind.
If a data subject wishes to exercise the right to restrict or completely stop this practice, it must be reviewed by a human being. If the request is rejected, the data controller must inform the data subject that they are within their rights to contest this decision and appeal to the local supervisory authority.
The rejection response is intended to notify a request submitted by a data subject of the organization, requesting to restrict the use of any automated decision-making or profiling processes regarding their personal data. The GDPR ensures that any automatic decision-making will be done transparent, lawful, and fair.
Scope and Purpose
The organization may reject the automatic decision-making processing restriction request if one of the following occurs -
1. The process is required for abiding by a contract.
2. It is authorized by the local law, which applies to the data controller.
3. The end-user explicitly contested these processes, and restricting them now may negatively affect the organization.
If none of the above are relevant to the request, then the data controller must comply promptly.
Once an auto-making restriction request has been submitted, the data controllers are required to -
1. A human being must review the request.
2. The DPO (or delegate thereof) needs to ascertain that the personal data mentioned exists on the organization's servers, and that a type of auto-making decisions is in practice
3. If auto-making decisions are in practice, Validate that the requester is indeed the data owner or is a proxy of the legitimate data subject.
4. If the requestor is the owner of the data or is a proxy of one, Check if the organization has any reason not to comply with the request
5. If the requestor is not the data owner or is not a proxy of one, Inform the requester that their request is invalid and will not be processed.
6. For internal or external audits: Keep a record of the request, its response, and any further communication with the requester.
The Obligations of the Data Controller
The rejection response should include the following fields -
1. The details of the DPO (or their delegate)
2. The details of the request and who submitted it.
3. The type of automatic decision-making that the personal data is subject to and are requested to be restricted.
4. The DPO's response to the request.
5. Inform the data subject of their right to appeal the rejection decision to the supervisory authority.
Other Obligations -
1. Establish that the requesters' data is automatically processed in any way.
2. Ascertain that the request is feasible, and if not, explain as to why.
3. Notify the data subject of the decision to reject their request.
Term Definitions
What is a Data Controller?
An organization or person who determines the use of the collected personal data from the data subjects. The data controller owns the collected personal data, decides how it will be processed and bears the sole responsibility for safekeeping it.
What is personal data?
Any type of unique data which relates to an individual data subject. This can include such information as Name, phone number, Email address, ID number, health records, political opinions, IP address, etc.
What is the processing of personal data?
Any act performed on the collected personal data of all the organizations' data subjects. This may include such actions as storing the data, analyzing it to extract insights or deleting it once it is no longer required.
What is a data subject (also known as an end-user)?
Any person who created a unique username on the organization's website, thus giving them the possibility of using that username to perform specific tasks and use features offered on the website.
Who is the DPO?
The Data Protection Officer is the main stakeholder of the organization for all aspects of GDPR compliance. They are responsible for making sure that the GDPR guidelines are adhered to.
What is a data breach?
Any intentional or unintentional security incident involves sharing personal data with any unauthorized element. Sharing personal data may include viewing, copying, stealing, or altering personal data.
Key Takeaways / Conclusions
1. The DPO (or their delegate) is responsible for checking the request and responding to it.
2. In case of a rejection, the response must explain in clear, everyday language why the rejection decision was made.
