Individual Rights Under the GDPR

Right to Be Informed

Under Article 12 of the GDPR, comprehensive information about your data processing activity must be provided in an easily accessible way, using plain language. You can comply with this right by having an easily accessible and legally compliant Privacy Policy.

Right of Access

Your users can exercise their rights under Article 15 of the GDPR to ask for information about any of their personal data that you’re processing. This called a Subject Access Request. You might be called on to provide confirmation of whether you’re actually processing someone’s personal data. You might also be asked for a copy of your user’s personal data.

Right to Rectification

Under Article 16 of the GDPR, your users have the opportunity to ask you to correct any inaccuracies your records show about them. They may be wrong, of course, and you can refuse to change their data if they are.

Right to Erasure

At Article 17 of the GDPR sits the “right to be forgotten.” There’s a bit of public misunderstanding about this right. It doesn’t confer an entitlement for any individual to have any reference to themselves deleted from your website. You still have the right to freedom of expression. But you will have to consider erasing personal data under certain conditions.

Right to Restrict Processing

Article 18 of the GDPR grants individuals the right to ask you to stop processing their data in a particular way. For example, an individual switches electricity suppliers and asks the old supplier to delete all of their personal data. But the old supplier is legally obliged to keep their data on file for eight years. So, instead they can restrict the processing to make sure that they aren’t using the individual’s data for improper activities.

Right to Data Portability

Under Article 20 of the GDPR, individuals should be able to request a copy of their personal data from you and take it to another organization. This ties in with the general principle that individuals should truly own their personal data.

Right to Object

Under Article 21 of the GDPR, individuals have the right to object to your processing of their personal data. This applies most straightforwardly in the case of direct marketing – your users can object to receiving direct marketing from you. There are no exceptions.

Other grounds of objection are more complicated, and you may have the right to refuse to stop some types of data processing under certain conditions.

Rights Related to Automated Decision-Making

At Article 22 of the GDPR, individuals have the right to request human intervention if important decisions are being made about them based on algorithms or profiling.

%d bloggers like this: