Data Subject Rights Under GDPR
Following its introduction in May 2018, GDPR has granted individuals new rights concerning their data. These include, but are not limited to:
• The right to be informed• The right of access
• The right to rectification• The right to erasure
• The right to restrict processing• The right to data portability
• The right to object
In this article, we shall outline some of the most critical aspects of these rights. Organisations which are covered by GDPR should be thoroughly familiar with these rights to remain fully GDPR-compliant.
The right to be informed: Under GDPR, individuals have the right to be informed about the collection and use of their data. Businesses must be transparent regarding the use of the data which they hold. Organisations must inform consumers about their purposes for processing consumer data, the amount of time for which they’ll hold the data, and who can access the data.
The right to access: Individuals have the right to access the data that organisations hold on them. GDPR allows individuals to request a copy of their data, including any supplementary information, using a variety of communication pathways (including social media). Under GDPR, businesses are required to respond to these requests within a month of them being received and are not permitted to charge a fee for the service.
The right to rectification: This grants individuals the right to change the personal data that a business holds if it is incorrect. They also have the right to complete data if it is incomplete. Businesses must respond to these requests within a month of them being received and are not permitted to charge a fee for the service. Organisations may refuse to change the data under certain circumstances, such as if they dispute the accuracy of the data. In such cases, a third party may be needed to mediate the dispute.
The right to erasure: This is possibly the most famous right that GDPR grants individuals, also known as “the right to be forgotten”. Individuals have the right to request controllers erase any personal data held by them as soon as possible. The right to erasure only applies in certain circumstances.
-if an individual’s data is no longer necessary for the original purpose for which the controller collected it
-if the business has unlawfully processed the information
-if the individual withdraws their consent and that is the only lawful reason an organisation has for holding the information
-if the business is holding the information for marketing purposes
The right to restrict processing: GDPR prevents an organisation from further processing of personal data of an individual. This right grants individuals the power to restrict how organisations use their data. However, it is important to note that it does prevent the organisation from holding the data. The right does not apply in every circumstance; an individual must have a legitimate reason to request the restriction and suppression of their data. For example, the organisation no longer needs the data, but the individual requires them to keep it to exercise or defend a legal claim.
The right to data portability: Individuals have the right to obtain personal data from organisations in a secure, digital format. Under GDPR, individuals can reuse their data for personal reasons and transfer it across digital formats without its usability being affected. It also allows an organisation to transfer the data to another organisation electronically.
The right to object: Individuals can protest and prevent organisations from further processing or storage of data. The right only applies in certain circumstances, but individuals are always able to prevent their information from being used for direct marketing purposes. Under GDPR, individuals can also object if the data processing is for a task carried out in the public interest, for the business’s legitimate interest, or the exercise of an official authority vested in the organisation. Organisations may refuse the request, and a third party may be needed to settle the dispute.