GDPR individual data rights and access

GDPR legislation governing individual data rights and access, including the right to be forgotten.

Right of Access

The following data rights for individuals are provided by the GDPR:

  • The right to be informed.
  • The right to rectification.
  • The right of access.
  • The right to be forgotten (erasure).
  • The right to restrict the processing of your data.
  • The right to data portability.
  • The right to object.
  • Rights regarding automated profiling and decision making.

Individual data rights and access in more detail

1. The right to be informed

The right to be informed means companies must give individuals clear, succinct and easily understandable information on what you want to do with their data.

GDPR Articles 13 and 14 explain exactly what people have to be informed about, which is termed ‘private information’.

Companies should proactively engage with this right to be informed as it helps compliance with the rest of the GDPR. It also fosters a level of trust with individuals, which will give the company more access to their information.

Companies must provide privacy information including the name and contact details of the organisation, the representative, the Data Protection Officer, the purpose of data collection and processing, the legitimate interests for processing, retention periods and a number of others.

2. The right to rectification

Under GDPR Article 16, individual data subjects have the right to rectify inaccurate personal data or have it fully completed if the information is not complete. They can request rectification in writing or verbally and the company has one calendar month to respond to them formally.

There are certain circumstances that allow companies to refuse the individual’s request for rectification. As this right is connected with the obligations of the data controller under the GDPR accuracy principle, see GDPR Article 5(1)(d) for the full information.

3. The right of access

People have the right of access regarding their personal data. You’ll often hear this referred to as ‘subject access’ They can make a subject access request from the company concerned either verbally or in writing, and the company has a month to respond.

The organisation is not allowed to charge a fee to the individual to deal with the request in the majority of cases.

The right of access gives individuals the legal right to a copy of their personal data and any other supplementary data. It’s designed to help people understand why and how the company is using their data, and to ensure it’s being used lawfully. Individuals are not entitled to request access to information that relates to other people. The request can only cover personal data.

4. The right to erasure

Also called ‘the right to be forgotten’, the right to erasure means individuals can request that their data is erased. The request can be made verbally or in writing and the company must respond within a month. This right only applies in certain circumstances and is not absolute.

5. The right to restrict processing

Closely linked to GDPR Article 16 (the right to rectification) and GDPR Article 21 (the right to object), individuals have the right to ask for the restriction or suppression of their personal data.
Again, this is not absolute. It applies only in specific circumstances and means that companies can store the data but not use it. As with the other rights, individuals can write or verbally request restriction of their data, and the company must respond within a month.

6. The right to data portability

This allows people to obtain and use their personal data for their own reasons. It means they can copy, transfer or move personal data from one online environment to another, safely and securely. It only applies to data an individual has previously provided to a controller.

7. The right to object

Under this GDPR right, individuals have the absolute right to object to their personal data being used for marketing reasons. They have the right to object to how their data is being processed in other circumstances too, but it’s not absolute.

In these other cases, if the controller can prove a compelling reason for the data usage and processing, then they may be able to continue to do so. Companies must actively inform individuals about their right to object.

8. Rights regarding automated profiling and decision making.

The GDPR applies to all automated profiling and decision making. Automated individual decision-making means those only made by automation with no involvement from humans.
Profiling is also covered. This means automated processing of individual personal data to analyse the individual. Under GDPR Article 22, there are extra protections for individuals if the collector or processor is actioning solely automated decision-making that has a significant effect on the individual.

The controller must also prove whether their processing comes under GDPR Article 22. If it does then the controller company must:

  • Tell the individual about the processing.
  • Introduce and communicate easy ways for the individual to challenge an automated decision or ask for a human being to check it.
  • Check their systems regularly and often.