The European Union's General Data Protection Regulation ("GDPR") is arguably the most comprehensive - and complex - data privacy regulation in the world. As companies prepare for the GDPR to go into force on May 25, 2018, there continues to be a great deal of confusion regarding the requirements of the GDPR.
To help address that confusion, Bryan Cave Leighton Paisner is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the GDPR, and concerning related data privacy laws in the European Union.
Question: Does a company’s reason for processing information impact whether it must honor a right of rectification?
Answer: No.
The GDPR recognizes six situations in which a company may process personal data. As the following chart illustrates some individual rights – such as the right to be forgotten – are dependent upon which permissible purpose a company relies upon. Other individual rights – such as the right to fix inaccuracies in personal information – are not.
--> Scroll to see full table data
Permissible Purpose
|
Right to be forgotten
|
Right to Access data
|
Right to data portability
|
Right to rectification
|
Right to object to processing
|
Consent
(i.e., Article 6(1)(a))
|
Y
|
Y
|
Y1
|
Y
|
Y2
|
Contract
(i.e., Article 6(1)(b))
|
Y
|
Y
|
Y3
|
Y
|
X
|
Compliance with legal obligation
(i.e., Article 6(1)(c))
|
X
|
Y
|
X
|
Y
|
X
|
Protecting vital interest of data subject (i.e., Article 6(1)(d))
|
Y
|
Y
|
X
|
Y
|
X
|
Public interest
(i.e., Article 6(1)(e))
|
Y4
|
Y
|
X
|
Y
|
Y
|
Legitimate interest of controller
(i.e., Article 6(1)(f))
|
Y5
|
Y
|
X
|
Y
|
Y
|
--> Scroll to see full table data
[View source.]