what-rights-do-individuals-have-under-gdpr.md

What rights do individuals have under GDPR?

Rights of data subjects

GDPR Article 12-23 set out the rights of data subjects. The main rights are summarized below but we recommend you refer to the regulations for a full list of rights.

Right to be informed

• Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under GDPR.
• You must provide individuals with information including: your purposes for processing their personal data, your retention periods for that personal data, and who it will be shared with. We call this ‘privacy information’.
• You must provide privacy information to individuals at the time you collect their personal data from them.
• The information you provide to people must be concise, transparent, intelligible, easily accessible, and it must use clear and plain language.

The right of access

• Individuals have the right to access and receive a copy of their personal data, and other supplementary information. This is commonly referred to as a subject access request or ‘SAR’.
• In most circumstances, you cannot charge a fee to deal with a request.
• You should respond without delay and within one month of receipt of the request.
• You should provide the information in an accessible, concise and intelligible format.
• The information should be disclosed securely.
• You can only refuse to provide the information if an exemption or restriction applies, or if the request is manifestly unfounded or excessive.

Right to rectification

• The GDPR includes a right for individuals to have inaccurate personal data rectified, or completed if it is incomplete.
• An individual can make a request for rectification verbally or in writing.
• You have one calendar month to respond to a request.

Right to erasure

• The GDPR introduces a right for individuals to have personal data erased.
• The right to erasure is also known as ‘the right to be forgotten’.
• The right is not absolute and only applies in certain circumstances.
• Individuals can make a request for erasure verbally or in writing.

Right to restrict processing

• Individuals have the right to request the restriction or suppression of their personal data.
• This is not an absolute right and only applies in certain circumstances.
• When processing is restricted, you are permitted to store the personal data, but not use it.

Right to data portability

• The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services.
• It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability.
• Doing this enables individuals to take advantage of applications and services that can use this data to find them a better deal or help them understand their spending habits.
• The right only applies to information an individual has provided to a controller.

Right to object

• The UK GDPR gives individuals the right to object to the processing of their personal data in certain circumstances.
• Individuals have an absolute right to stop their data being used for direct marketing.
• In other cases where the right to object applies you may be able to continue processing if you can show that you have a compelling reason for doing so.
• You must tell individuals about their right to object.

Rights related to automated decision making including profiling

• The GDPR has provisions on:
  • automated individual decision-making (making a decision solely by automated means without any human involvement); and
  • profiling (automated processing of personal data to evaluate certain things about an individual). Profiling can be part of an automated decision-making process.