GDPR Data Subject Rights

GDPR puts all of us in control of our personal data, which is one of the great benefits of the regulation. Whenever organisation process our personal data, GDPR gives us a set of rights we can call upon. You are no longer powerless, you can exercise those rights at any time.

From the perspective of the organisations using the personal data of individuals, they need to ensure they inform individuals about their rights and at the same time implement the appropriate processes to ensure they can swiftly exercise the individual’s rights.

A list of the rights that GDPR mandates:

1. Right to be informed

Individuals have the right to be informed of what personal data is being processed, why an how in a manner that is concise, transparent using clear and plain language. In short, organisations need to make available a privacy policy document that meets those requirements. GDPRWise can help out here of course as it offers you to generate a compliant privacy policy.

2. Right to withdraw consent 

Individuals have the right to withdraw priorly given consent to the processing at any time. Organisations need to provide individuals the ability to withdraw consent for any of the processing and action just withdrawal without undue delay.

3. Right to object

Individuals have the right to object to the processing of their personal information where organisations are relying on a legitimate interest (or those of a third party) and there is something about the individual’s particular situation which makes the individual want to object to processing on this ground. Individuals also have the right to object where organisations are processing their personal information for direct marketing purposes.

4. Right to access

Individuals have the right to see what data organisations hold on them and not only receive a copy of the personal information that is being held on them but also a description of the purpose for which the data is being used, the envisaged data retention period for the data and the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations. Where personal data are transferred to a third country or to an international organisation, the individual shall have the right to be informed of the appropriate safeguards put in place to guarantee de privacy & security of his personal data.

5. Right to rectification

Individuals have the right to request correction of the personal information organisations hold on them. Organisations are bound to comply without undue delay.

6. Right to erasure

Individuals have the right request erasure of their personal information. Organisations are bound to comply without undue delay if there never was, or no longer is, a sound justification for them to process it and there are no legal obligations for the organisation to retain the data e.g. requirement to keep accounting records, pending legal action etc.

7. Right to restrict processing

Individuals have the right to request the restriction of processing of their personal information. This enables individuals to ask organisations to suspend the processing of personal information about you, for example, if you want to establish its accuracy or the reason for processing it.

8. Right to data portability

Individuals have the right to receive their personal data in a structured, commonly used and machine-readable format and have transmitted those data to another data controller.

9. Right to object to automated individual decision-making

Individuals have the right to object to a decision based solely on automated processing, including profiling. Examples an automated decision to award or reject a loan, an automated recruitment aptitude test which uses specific algorithm. This is a more complex topic and not often relevant for small & medium-sized firms. If you believe you are offering automated decision-making processes do seek expert advice.