Rights for individuals
The GDPR creates some new rights for data subjects and strengthens some of the rights that currently exist under the DPA. The GDPR provides the following rights for data subjects:
- The right to be informed
- The right of access
- The right to rectification
- The right to be forgotten
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
Each of these rights is dealt with in more detail below.
The right to be informed
Data subjects have the right to receive ‘fair processing information’ and to be provided with clear information about what personal data is collected, how that data is collected and how it is used. The ICO states that the information supplied to data subjects regarding the processing of their personal data must be:
- concise, transparent, intelligible and easily accessible
- written in clear and plain language, particularly if addressed to a child
- free of charge
For more information on how this information should be provided see the privacy policies / information notices page.
The right of access
As with the DPA, the GDPR gives data subjects the right to obtain confirmation that their data is being processed and gain access to their personal data and other supplementary information. For more information on this see the Subject Access Request page.
The right to rectification
Data subjects have the right to have their personal data rectified if it is inaccurate or incomplete. Data controllers must comply with this obligation within one month (although this can be extended by two months in relation to complex requests for rectification). Where data controllers have disclosed the incomplete / inaccurate personal data to third parties, they must, where possible, inform those third parties of the rectification.
The right to be forgotten
Broadly, data subjects have the right to request the deletion or removal of their personal data where there is no compelling reason for its continued processing. For more information see the right to be forgotten page.
The right to restrict processing
In certain circumstances data subjects may not have the right to be forgotten but may still be entitled to restrict or limit the purposes for which the data controller can process their personal data. This applies where:
- the accuracy of the personal data is contested (and only for as long as it takes to rectify / verify that accuracy)
- the processing is unlawful and the data subject requests restriction
- the data controller no longer needs the personal data for their original purpose, but the personal data is still required by the data controller to establish, exercise or defend its legal rights
- in the context of a right to be forgotten request, verification of the data controller’s overriding grounds is pending.
The right to data portability
The right to data portability allows data subjects to obtain and reuse their personal data for their own purposes across different services but enabling them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability. For more information see the right to data portability page.
The right to object
Data subjects have the right to object to their personal data being processed in the following circumstances:
- Where the processing (including profiling) is based on legitimate interests or the performance of a task in the public interest/exercise of official authority, provided that the objection is on grounds relating to the data subject’s particular situation. In these circumstances the data processor must stop processing the personal data unless it: (i) can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the data subject; or (ii) the processing is for the establishment, exercise or defence of legal claims.
- Where the processing (including profiling) is for direct marketing.
- Where the processing is for scientific/historical research, public interest archiving or statistical purposes and the data subject has “grounds relating to his or her particular situation” in order to exercise their right to object to processing for research purposes. If the data controller is conducting research where the processing of personal data is necessary for the performance of a public interest task, the data controller is not required to comply with an objection to the processing.
Rights in relation to automated decision making and profiling
Data subjects have the right not to be subject to a decision when it is based on automated processing and it produces a legal effect or a similarly significant effect on the individual. In these circumstances the data controller must ensure that the data subject is able to obtain human intervention, express their point of view and obtain an explanation of the decision and challenge it.
The right to object to automated decision making and profiling does not apply where the decision is necessary for entering into or performance of a contract between the data controller and the data subject, is authorised by law (for the prevention of fraud or tax evasion) or based on explicit consent. The right also doesn’t apply when the decision does not have a legal or similarly significant effect on the data subject or another individual.
Profiling or automated decision making based on sensitive data
Any automated decision making based on sensitive personal data must have the individual’s explicit consent, or be necessary for public interest reasons on the basis of UK law. The UK has not yet made clear whether it will be implementing any specific legislation around automated decisions made using sensitive personal data.