What rights do individuals have under GDPR?
Rights of data subjects
GDPR Article 12-23 set out the rights of data subjects. The main rights are summarized below but we recommend you refer to the regulations for a full list of rights.
Right to be informed
Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under GDPR.
You must provide individuals with information including: your purposes for processing their personal data, your retention periods for that personal data, and who it will be shared with. We call this ‘privacy information’.
You must provide privacy information to individuals at the time you collect their personal data from them.
The information you provide to people must be concise, transparent, intelligible, easily accessible, and it must use clear and plain language.
The right of access
Individuals have the right to access and receive a copy of their personal data, and other supplementary information. This is commonly referred to as a subject access request or ‘SAR’.
In most circumstances, you cannot charge a fee to deal with a request.
You should respond without delay and within one month of receipt of the request.
You should provide the information in an accessible, concise and intelligible format.
The information should be disclosed securely.
You can only refuse to provide the information if an exemption or restriction applies, or if the request is manifestly unfounded or excessive.
Right to rectification
The GDPR includes a right for individuals to have inaccurate personal data rectified, or completed if it is incomplete.
An individual can make a request for rectification verbally or in writing.
You have one calendar month to respond to a request.
Right to erasure
The GDPR introduces a right for individuals to have personal data erased.
The right to erasure is also known as ‘the right to be forgotten’.
The right is not absolute and only applies in certain circumstances.
Individuals can make a request for erasure verbally or in writing.
Right to restrict processing
Individuals have the right to request the restriction or suppression of their personal data.
This is not an absolute right and only applies in certain circumstances.
When processing is restricted, you are permitted to store the personal data, but not use it.
Right to data portability
The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services.
It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability.
Doing this enables individuals to take advantage of applications and services that can use this data to find them a better deal or help them understand their spending habits.
The right only applies to information an individual has provided to a controller.
Right to object
The UK GDPR gives individuals the right to object to the processing of their personal data in certain circumstances.
Individuals have an absolute right to stop their data being used for direct marketing.
In other cases where the right to object applies you may be able to continue processing if you can show that you have a compelling reason for doing so.
You must tell individuals about their right to object.
Rights related to automated decision making including profiling
The GDPR has provisions on:
automated individual decision-making (making a decision solely by automated means without any human involvement); and
profiling (automated processing of personal data to evaluate certain things about an individual). Profiling can be part of an automated decision-making process.
Last updated