Individual Rights under GDPR

Individual Rights under GDPR

Punit Bhatia

15 years: Data privacy & GDPR

GDPR refers to individuals as data subjects, these are also referred to as Data Subject Access Rights or Data Subject Rights. In this video, Punit explains the different rights that are available to an individual such as our customers or employees, whose personal data is being processed and the common requirements associated with them.

GDPR refers to individuals as data subjects, these are also referred to as Data Subject Access Rights or Data Subject Rights. In this video, Punit explains the different rights that are available to an individual such as our customers or employees, whose personal data is being processed and the common requirements associated with them.

Speak to an expert

Speak to an expert today to access this and all of the content on our platform.

Individual Rights under GDPR

13 mins 10 secs

Key learning objectives:

  • Outline the different rights under the GDPR that are available to individuals

  • Outline some common aspects across the rights

Overview:

Data protection laws provide individuals with rights that they can exercise. The organisations need to put in place processes to respond to an individual’s exercise of rights. They must ensure to keep a record of rights requests that they have responded to.

Speak to an expert

Speak to an expert today to access this and all of the content on our platform.

Summary

What are the different rights under the GDPR that are available to individuals?

1. Right to Be Informed:

This provides individuals with the right to know all information about their personal data. This is usually implemented in a layered approach and the first layer of informing an individual is the privacy statement.

2. Right to Access:

It provides the individuals with the right to obtain a copy of their personal data, as well as other supplementary information. When this right is exercised, the organisation should provide the individual with the following data:

  • The purposes of processing
  • The categories of personal data
  • The recipients or categories of recipient the company discloses the personal data to
  • Their retention period for storing the personal data or, where this is not possible, the criteria for determining how long the company will store it
  • The existence of their right to request rectification, erasure or restriction or to object to such processing
  • Information about the source of the data, if data was not obtained directly from the individual
  • The existence of automated decision-making (including profiling); and
  • The safeguards company has put in place if personal data is being transferred to a third country or international organisation

3. Right to rectification:

It allows individuals to have their personal data corrected. It is useful for a person who has just moved to a new address and wants to have their records updated with a company.

4. The Right to be forgotten:

It is also known as the right to deletion or right to erasure, providing individuals with the ability to have the right to have personal data erased. It is available to an individual when personal data is illegally stored or personal data is no longer necessary for the purpose for which it has been obtained and there is no legal justification for it to be retained.

5. The Right to object:

It provides individuals with the right to object to the processing of their personal data at any time. A typical usage of this right would be when a client regards a company’s processing of their personal data based on legitimate interest to be unfair.

6. The Right to restrict processing:

It provides individuals with the right to ask for restriction of processing when one of the following conditions apply:

  • The accuracy of the personal data is contested by the individual, for a period enabling the controller to verify the accuracy of the personal data
  • The processing is unlawful and the individual opposes the erasure of the personal data and requests the restriction of their use instead
  • The controller no longer needs the personal data for the purposes of the processing, but personal data is required by the individual for the establishment, exercise or defence of legal claims
  • The individual has exercised the right to object but the client's claim on processing being unfair is being evaluated

7. The Right not to be subjected to automated decision making:

This right gives individuals the ability to ask for a manual review if a decision is solely based on automated means and has an impact on the individual.

8. The Right of portability:

This right gives individuals the ability to have their personal data transferred to another controller or receive it back in machine readable format.

What are some common aspects across the rights?

  • A rights request can be made by the individual or their legal representative
  • Organisations cannot charge individuals for exercising their rights
  • An organisation can however charge a fee or deny a rights request if the request is considered excessive or repetitive in nature
  • If your organisation refuses a request, the individual must be informed about the reasons, their right to make a complaint to the ICO or other relevant supervisory authority and their ability to seek to enforce this right through the courts
  • A rights request should be answered in 30 days. A company can ask for an extension of 60 days if needed, but the individual must be informed about the delay and reasons for the delay

Speak to an expert

Speak to an expert today to access this and all of the content on our platform.

Punit Bhatia

Punit Bhatia

Punit Bhatia is a passionate author, speaker, and advisor. He provides strategic coaching and advice to privacy experts, business owners, and upcoming privacy professionals. Punit is known for providing advice that is simple, pragmatic and business-aligned.

There are no available Videos from "Punit Bhatia"