Individual Rights under GDPR

What are the different rights under the GDPR that are available to individuals?

1. Right to Be Informed:

This provides individuals with the right to know all information about their personal data. This is usually implemented in a layered approach and the first layer of informing an individual is the privacy statement.

2. Right to Access:

It provides the individuals with the right to obtain a copy of their personal data, as well as other supplementary information. When this right is exercised, the organisation should provide the individual with the following data:

• The purposes of processing
• The categories of personal data
• The recipients or categories of recipient the company discloses the personal data to
• Their retention period for storing the personal data or, where this is not possible, the criteria for determining how long the company will store it
• The existence of their right to request rectification, erasure or restriction or to object to such processing
• Information about the source of the data, if data was not obtained directly from the individual
• The existence of automated decision-making (including profiling); and
• The safeguards company has put in place if personal data is being transferred to a third country or international organisation

3. Right to rectification:

It allows individuals to have their personal data corrected. It is useful for a person who has just moved to a new address and wants to have their records updated with a company.

4. The Right to be forgotten:

It is also known as the right to deletion or right to erasure, providing individuals with the ability to have the right to have personal data erased. It is available to an individual when personal data is illegally stored or personal data is no longer necessary for the purpose for which it has been obtained and there is no legal justification for it to be retained.

5. The Right to object:

It provides individuals with the right to object to the processing of their personal data at any time. A typical usage of this right would be when a client regards a company’s processing of their personal data based on legitimate interest to be unfair.

6. The Right to restrict processing:

It provides individuals with the right to ask for restriction of processing when one of the following conditions apply:

• The accuracy of the personal data is contested by the individual, for a period enabling the controller to verify the accuracy of the personal data
• The processing is unlawful and the individual opposes the erasure of the personal data and requests the restriction of their use instead
• The controller no longer needs the personal data for the purposes of the processing, but personal data is required by the individual for the establishment, exercise or defence of legal claims
• The individual has exercised the right to object but the client's claim on processing being unfair is being evaluated

7. The Right not to be subjected to automated decision making:

This right gives individuals the ability to ask for a manual review if a decision is solely based on automated means and has an impact on the individual.

8. The Right of portability:

This right gives individuals the ability to have their personal data transferred to another controller or receive it back in machine readable format.

What are some common aspects across the rights?

• A rights request can be made by the individual or their legal representative
• Organisations cannot charge individuals for exercising their rights
• An organisation can however charge a fee or deny a rights request if the request is considered excessive or repetitive in nature
• If your organisation refuses a request, the individual must be informed about the reasons, their right to make a complaint to the ICO or other relevant supervisory authority and their ability to seek to enforce this right through the courts
• A rights request should be answered in 30 days. A company can ask for an extension of 60 days if needed, but the individual must be informed about the delay and reasons for the delay