Individual Rights Under the GDPR
Right to Be Informed
Under Article 12 of the GDPR, comprehensive information about your data processing activity must be provided in an easily accessible way, using plain language. You can comply with this right by having an easily accessible and legally compliant Privacy Policy.
Right of Access
Your users can exercise their rights under Article 15 of the GDPR to ask for information about any of their personal data that you’re processing. This called a Subject Access Request. You might be called on to provide confirmation of whether you’re actually processing someone’s personal data. You might also be asked for a copy of your user’s personal data.
Right to Rectification
Under Article 16 of the GDPR, your users have the opportunity to ask you to correct any inaccuracies your records show about them. They may be wrong, of course, and you can refuse to change their data if they are.
Right to Erasure
At Article 17 of the GDPR sits the “right to be forgotten.” There’s a bit of public misunderstanding about this right. It doesn’t confer an entitlement for any individual to have any reference to themselves deleted from your website. You still have the right to freedom of expression. But you will have to consider erasing personal data under certain conditions.
Right to Restrict Processing
Article 18 of the GDPR grants individuals the right to ask you to stop processing their data in a particular way. For example, an individual switches electricity suppliers and asks the old supplier to delete all of their personal data. But the old supplier is legally obliged to keep their data on file for eight years. So, instead they can restrict the processing to make sure that they aren’t using the individual’s data for improper activities.
Right to Data Portability
Under Article 20 of the GDPR, individuals should be able to request a copy of their personal data from you and take it to another organization. This ties in with the general principle that individuals should truly own their personal data.
Right to Object
Under Article 21 of the GDPR, individuals have the right to object to your processing of their personal data. This applies most straightforwardly in the case of direct marketing – your users can object to receiving direct marketing from you. There are no exceptions.
Other grounds of objection are more complicated, and you may have the right to refuse to stop some types of data processing under certain conditions.
Rights Related to Automated Decision-Making
At Article 22 of the GDPR, individuals have the right to request human intervention if important decisions are being made about them based on algorithms or profiling.