The EU General Data Protection Regulation (GDPR) provides 8 key rights for individuals. These key rights are as follows:
- The right to be informed – This right entitles individuals to be informed about the collection and use of their personal data.
Individuals have a right to know when data concerning them is being processed, who it is being processed by, why it is being processed, the retention period for the data, who it will be shared with, their rights with regards to the data and their right to make a complaint regarding the handling of the data. This information should be provided at the point the data is collected, or within a reasonable period no later than one month if the data has been received from someone else. If the data has been received from someone else, the individual must also be informed what data has been obtained and the source of the data.
Information must be provided in a way which is concise, transparent, intelligible, and easily accessible, and be conveyed in clear and plain language. Organisations holding data should regularly review the information that they are providing, and update it if necessary.
- The right of access – This right entitles individuals to access to data being kept regarding them.
Information can be obtained by making a subject access request to the organisation holding the data, which can be done either verbally or in writing. The organisation holding the data must respond within one month of the request.
If asked by an individual they hold data on, an organisation must provide them with confirmation of whether they are processing their data, supplementary information including the mandatory information discussed above, and a copy of the data being processed.
- The right to rectification – This right allows individuals to have any personal data being held in relation to them rectified if it is inaccurate or completed if it is incomplete.
A request for rectification can be made either verbally or in writing. The organisation holding the data must respond within one month of the request.
Any third party with whom the data has been shared should be informed that the individual has exercised this right.
- The right to erasure – This right allows individuals to request to have data held in relation to them erased. However, this right is not absolute.
A request for the erasure of information can be made either verbally or in writing. The organisation holding the data must respond within one month of the request.
Information should be erased if the data is no longer necessary for the purpose which it was originally collected or processed it for; if the organisation holding it is relying on consent as their lawful basis for holding the data and consent is withdrawn; if the organisation holding it r is relying on legitimate interests as their basis for processing, the individual objects to the processing of their data, and there is no overriding legitimate interest to continue this processing; if the organisation holding it is processing the personal data for direct marketing purposes and the individual objects to that processing; if the organisation holding it has processed the personal data unlawfully; if the organisation holding it has to erase the information to comply with a legal obligation; or if the organisation holding it has processed the personal data to offer information society services to a child.
However, the right to erasure may not apply if processing is necessary to exercise the right of freedom of expression and information; to comply with a legal obligation; for the performance of a task carried out in the public interest or in the exercise of official authority; for archiving purposes in the public interest, scientific research historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing; or for the establishment, exercise or defence of legal claims.
Any third party with whom the data has been shared should be informed that the individual has exercised their right to erasure.
- The right to restrict processing – This right allows an individual to request the restriction or suppression of their personal data. This right is also not absolute and only applies in certain circumstances.
A request for restriction can be made either verbally or in writing. The organisation holding the data must respond within one month of the request.
The right applies where the individual contests the accuracy of their personal data and the organisation is verifying the accuracy of the data; the data has been unlawfully processed and the individual opposes erasure and requests restriction instead; the organisation no longer needs the personal data but the individual needs them to keep it in order to establish, exercise or defend a legal claim; or the individual has objected to the organisation processing their data under Article 21(1), and is considering whether their legitimate grounds override those of the individual.
- The right to data portability – This right allows an individual to obtain and reuse their personal data that they provided to an organisation for their own purposes across different services.
Data covered by this right can include information that was given to an organisation such as an individual’s mailing address, username or age, as well as data resulting from observation of their activities by an organisation such as their search history, traffic and location data and “raw data” processed by smart meters and wearable devices.
The right does not extend to data created by the organisation based on the data they were provided by an individual, such as a user profile.
- The right to object – This right allows individuals to object to an organisation processing their data.
An objection can be made verbally or in writing. The organisation holding the data must respond within one month of the objection.
An individual has an absolute right to object to their personal data being processed if this is being done for direct marketing purposes. They can also object if the processing is for a task carried out in the public interest, the exercise of official authority vested in the organisation, or an organisation’s legitimate interests (or those of a third party), although the right is not absolute in these cases.
- Rights in relation to automated decision making and profiling – This right entitles individuals to not be subject to a decision that is based solely on automated processing if that decision will have legal or similarly significant effects on them.
This type of processing can only be carried out if it is necessary for the entry into or performance of a contract; authorised by Union or Member state law applicable to the controller; or based on the individual’s explicit consent.
Organisations using this processing must ensure that individuals are given information regarding it, that they have simple ways for human interventions to be requested or a decision challenged, and that checks on systems doing the processing are carried out regularly.