Oct 7, 2020 | ISO

Rights under the GDPR

Howard Freeman

Howard Freeman

What are the data subject rights under the GDPR?

The EU GDPR (General Data Protection Regulation) gives individuals eight rights relating to their personal data. You must let individuals know how they can exercise these rights, and meet requests promptly. Failure to do so is a violation of the GDPR and could lead to disciplinary action. But first, what is a data subject?

What is a data subject?

A ‘data subject’ means any living individual whose personal data is collected, held or processed by an organisation. Data that can be used to identify an individual is deemed personal data. These include a name, home address or even a credit card number. Therefore, you must respect the rights of data subjects.

What are the data subject rights under the GDPR?

The right to be informed

Organisations must tell individuals what data is being collected. They must clearly state how it’s being used, how long it will be kept, and whether it will be shared with any third parties. This information must be communicated concisely and in plain language.

The right of access

Individuals can submit subject access requests, which oblige organisations to provide a copy of any personal data they hold concerning the individual. Organisations have one month to produce this information. However, you should be aware there are exceptions for requests that are manifestly unfounded, repetitive, or excessive.

The right to rectification

If an individual discovers that the information an organisation holds on them is inaccurate or incomplete, they can request that it be updated. As with the right of access, organisations have one month to do this, and the same exceptions apply.

The right to erasure

Individuals can request that organisations erase their data in certain circumstances, such as when the data is no longer necessary. Alternatively, perhaps the data was unlawfully processed. Alternatively, it no longer meets the lawful grounds for which it was collected. This includes instances where the individual withdraws consent.

The right to erasure is better known as ‘the right to be forgotten’.

The right to restrict processing

Individuals can request that an organisation limits the way it uses personal data. This is an alternative to requesting the erasure of data. An individual might choose to contest the accuracy of their personal data. Perhaps it is when the individual no longer need the information but the organisation requires it to establish, exercise or defend a legal claim.

The right to data portability

Individuals are permitted to obtain and reuse their personal data for their own purposes across different services. This right only applies to personal data that an individual has provided to data controllers. This might be by way of a contract or consent.

The right to object

Personal data that is collected on the grounds of legitimate interest, processing can be objected to by data subjects. Or, if it is collected for the performance of a task in the interest/exercise of official authority. Organisations must stop processing information unless they can demonstrate compelling legitimate grounds for the processing. Such grounds must override the interests, rights and freedoms of the individual. Unless the processing is for the establishment or exercise of defence of legal claims.

Rights related to automated decision making including profiling

The GDPR includes provisions for decisions made with no human involvement, such as profiling. Profiling uses personal data to make calculated assumptions about individuals. There are strict rules about this kind of processing. Therefore, a challenge and/or a review of the processing can be requested if a person doesn’t believe the rules are being followed.

Therefore, it is vital that you understand your reason for having data and the legal basis for processing. Such legal basis should be recorded in your data asset register in the first instance with the date you acquired the data. You should also record how long you intend to keep it.

If you need help building your data asset register or writing a data retention policy then contact us here.


Can we help?