Link Search Menu Expand Document
Responsible data management toolbox

5.2 Data subject rights


Keep in mind

The populations from which the data are collected have rights over them. To be able to exercise them, they must be informed.

Organisations should implement means to enable populations to avail of their rights.

Data protection implies a transparent responsibility towards the populations with which humanitarian actors work, but it is also an opportunity to improve their practices and accountability. These populations have rights to the personal data that is collected and used, because it belongs to them and is directly related to their privacy.

It also means that organisations that collect data must implement ways to facilitate the exercise of people’s rights.

PLEASE NOTE: all of the rights of individuals regarding their personal data apply, whatever the legal basis chosen, that is to say, even if consent has been excluded, they have prerogatives on the processing of their personal data.

5.2.1 The right to be informed

Accountability to affected populations includes the obligation to inform the latter of the purpose (and the various subsequent uses) of the data collected. This is moreover the case, whether consent is chosen as a legal basis or not, and even more so since consent is not the basis used: they are the primary owners of this data.

The information provided to the populations on the collection and processing of their personal data must be done in a concise, intelligible manner, for instance in everyday language, jargon-free, with explicit terms.

“There is no single way to properly inform people”. This information should be:

  • adapted to situations and data collection media”: information may be provided in writing, orally or in the form of a “visualization tool” or images, for example (“29” group transparency guidelines),
  • accessible and understandable” (source: CNIL).

Data subjects should, as far as possible, be provided with information on the following:

  • The precise data being collected and their processing,
  • The reason (purpose) for processing the data (why the data is collected and what it will be used for),
  • The rights they have (to access, oppose, rectify or erase data and to submit complaints for example),
  • If this is the case, the resulting automated decision-making (the data subjects have the right to oppose it),
  • If this is the case, the existence of an associated complaint mechanism.

Best practices: Implement one or several mechanisms “at the project or programme level to ensure that the data subjects can exercise their rights”, in order to involve communities and allow organisations to handle “feedback and complaints” (Source: HI).

5.2.2 Other rights

GDPR regulations give other rights to people from whom organisations collect personal data.

Here is a capsule summarising the rights of data subjects (of which they should be informed). (Sources: Tdh Data Protection Starter Guide, France Générosités, CNIL).