Posted on 9th March 2018

What Are Your Rights as an Individual under GDPR?

Woman using mobile phone

Data subjects are accorded many rights by the General Data Protection Regulation. Seven of the most important are explained in more detail in this blog post. These rights follow logically from the principle that the individual whose data you are processing continues to own their data throughout your stewardship of it.

1. The Right to Be Informed

The GDPR gives you the right to be informed about how the data collected from you is going to be used. When requesting data from an individual, organisations must ensure that their privacy notice is concise, transparent, intelligible and easily accessible.

2. The Right of Access

The GDPR will make it easier for you to verify the lawfulness of the processing of your data and give you the right to see what data and supplementary information an organisation holds. All organisations, regardless of size, are obliged to provide a copy of this information to you free of charge and must deliver it within one month of receiving your request.

3. The Right to Rectification

Where you believe the personal data held by an organisation is inaccurate or incomplete, you have the right for to have this rectified. Where this information has been subsequently passed on to third parties, it is the duty of the organisation to inform all parties of the rectification. All requests for rectification must be responded to within one month, though in the case of complex rectifications, this deadline may be extended to two months. If an organisation is not able to comply with your request within that time period, they are obliged to inform you of your right to complain to the supervisory authority and to a judicial remedy.

4. The Right to Erasure

If there is no compelling reason to continue holding or processing your data, the right to erasure, or ‘right to be forgotten’ as it is also known, gives you the right to request that personal data held about you is deleted. However, this is not an automatic right and can only be requested in specific circumstances:

  • When the data is no longer required for the purpose it was originally collected.
  • When you, the individual, withdraw consent for your data to be processed.
  • When there is no overriding reason to continue processing your personal data.
  • If the personal data was collected or processed unlawfully.
  • In order to comply with legal obligations.

Under the GDPR, unwarranted and substantial distress or damage alone is not significant enough reason to request that your personal data be erased. However, it will almost certainly make your case for erasure stronger.

5. The Right to Restrict Processing

You have the right to request that the processing of your personal data be paused or halted altogether. In these instances, an organisation may continue to hold your data, but cannot recommence processing it until the issue is resolved. This course of action may be taken if you feel that the personal data being processed is inaccurate or if you wish to stop processing, but not go as far as full erasure. As in the case of rectification, it is the responsibility of the organisation to contact all other parties to whom your personal data may have been distributed. 

6. The Right to Data Portability

Some organisations in the UK already offer data portability but, under the GDPR, data portability will become a right. It will enable you to access the personal data held about you and reuse it without hinderance. This process will allow consumers to take advantage of services that can use this data to help them find them a better deal.

7. The Right to Object

Unless an organisation can provide legitimate grounds for continuing, you have the right to object to processing required for:

  • The performance of a task in the public interest by an official authority.
  • Direct marketing (including profiling).
  • Historical or scientific research.

Organisations must inform an individual at the first point of communication, as well as in their privacy notice, of their right to object. 

In addition to these fundamental rights, there are also rights concerning automated decision making and profiling and rights of notification when data is being handled by third parties in a country outside of the EU. We’ll be covering these issues in future blog posts.

To read more about the rights being provided to you by the GDPR, both from the points of view of an individual and an organisation, we would advise you to visit the Information Commissioners Office (ICO) website, where all of the points listed above are outlined in more detail.

The priviness blog is a forum for the discussion and dissemination of ideas relating to privacy. The posts are written by a number of different authors and do not necessarily represent the views of priviness.