• 3 min read

What data protection rights does an individual have?

Data protection Cyber Security Privacy Business Internet Technology Concept

The key aim of data protection legislation is to protect the rights of individuals (i.e. data subjects) in respect of their personal data. That being the case the UK GDPR creates various data subject rights which all organisations should be familiar with:

The right to be informed – individuals have the right to be told that their personal data is being collected and, amongst other things, what it is being used for. Usually this information is set out in a privacy notice which is made available to the individual at the time their personal data is collected by the organisation. 

The right of access – this is the right for an individual to make a subject access request to ask for a copy of the personal data the organisation holds about them and for certain information about how their personal data is handled by the organisation. 

The right to rectification – this is the right for an individual to request that an organisation which is holding their personal data either corrects that data if it is incorrect or completes incomplete personal data that it holds. 

The right to erasure (also known as the right to be forgotten) – this is the right for an individual to request that an organisation permanently deletes personal data it holds about them. 

The right to restrict processing – this is the right for an individual to ask a controller to stop or pause processing of their personal data, for example, whilst inaccuracies in the personal data are investigated. 

The right to data portability – this is the right for an individual to request that the personal data they provided to an organisation is transferred from that organisation to another in a suitable format so that it can be used by the recipient.

The right to object – this is the right for an individual to object to an organisation processing their personal data, for example, for marketing purposes. 

Right in relation to automated decision making and profiling – this is the right for an individual not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning the individual or similarly significantly affects them. It is a right which may not be relevant to a lot of organisations, as many do not make decisions about a data subject or profile a data subject by purely automated means without any human involvement. An example of automated decision making is recruitment agencies using IT software to read and filter out applicants for a job where the employer has certain pre-set requirements, for example, by filtering out all applicants without a certain qualification.

Whilst all individuals have the above rights, these rights are not as straightforward as they may seem (and certainly not as straightforward as data subjects may think). There are various circumstances in which an organisation can decline to fulfil certain requests by an individual to exercise their rights. For example, there are only certain circumstances in which an organisation has to comply with a data subject’s request for the organisation to restrict processing of their personal data. The takeaway therefore is that just because a data subject asks to exercise certain UK GDPR rights, it doesn’t mean they must be complied with and each request needs to be carefully considered, especially if the processing and continued use of that personal data is important for the organisation.

Our data protection team has many years of experience in advising organisations on their compliance with UK data protection law. To speak to one of the team you can get in touch here or call us on 0800 2800 421

If you have not received this article directly, but would like to receive articles and data protection news alerts from Trethowans, please email [email protected].

Answers are just a click away