Under the GDPR, individuals have eight basic rights:
1. Right to be informed
Individuals have the right to be informed of how, when and where their personal data is being used. Users have to opt in for their data to be gathered, and consent must be freely given rather than implied.
2. Right to access
Individuals have the right to access their data and ask how their data is used by the company after it has been gathered. The company must provide a copy of the personal data in electronic format if required free of charge.
3. Right to rectification
Individuals have the right to correct any inaccurate information about them that is stored with you.
4. Right to erasure (Right to be forgotten)
If consumers/users are no longer customers, or if they withdraw their consent from a company to use their personal data, then they have the right to have their data deleted.
5. Right to restrict processing
Individuals can request for their data not to be used for processing. Their record can remain in place, but not be used.
6. Right to data portability
Individuals have the right to export their data from your system in a machine readable format.
7. Right to object
Individuals have the rights to stop the processing of their data for direct marketing. There are no exemptions to this rule, and any processing must stop as soon as the request is received. In addition, this right must be made clear to individuals at the very start of any communication.
8. Right to be notified
If there has been a data breach which compromises an individual’s personal data, the individual has a right to be informed within 72 hours of first having become aware of the breach.
Psssttt.... most people don't tell you that there are two more important things apart from these eight rights.
Notification obligation
Notify any rectification or erasure or restriction of processing to each recipient to whom the personal data has been disclosed.
Rights related to automated decision making including profiling
Automated decision (Making a decision solely by automated means without any human involvement).
Profiling (automated processing of personal data to evaluate certain things about an individual). Profiling can be part of an automated decision-making process.
The GDPR applies to all automated individual decision-making and profiling.
We will explain each of these rights in detail with examples in our upcoming posts, so watch this space.