Data subject rights under GDPR

Data subject rights under GDPR

"The world’s most valuable resource is no longer oil, but data" - The Economist

GDPR encourages that we treat  personal data and privacy with discipline and the respect it deserves. It gives individuals more control over their data.

Under the GDPR, individuals have eight basic rights:

1. Right to be informed

Individuals have the right to be informed of how, when and where their personal data is being used. Users have to opt in for their data to be gathered, and consent must be freely given rather than implied.

2. Right to access

Individuals have the right to access their data and ask how their data is used by the company after it has been gathered. The company must provide a copy of the personal data in electronic format if required free of charge.

3. Right to rectification

Individuals have the right to correct any inaccurate information about them that is stored with you.

4. Right to erasure (Right to be forgotten)

If consumers/users are no longer customers, or if they withdraw their consent from a company to use their personal data, then they have the right to have their data deleted.

5. Right to restrict processing

Individuals can request for their data not to be used for processing. Their record can remain in place, but not be used.

6. Right to data portability

Individuals have the right to export their data from your system in a machine readable format.

7. Right to object

Individuals have the rights to stop the processing of their data for direct marketing. There are no exemptions to this rule, and any processing must stop as soon as the request is received. In addition, this right must be made clear to individuals at the very start of any communication.

8. Right to be notified 

If there has been a data breach which compromises an individual’s personal data, the individual has a right to be informed within 72 hours of first having become aware of the breach.

Psssttt.... most people don't tell you that there are two more important things apart from these eight rights.

Notification obligation

Notify any rectification or erasure or restriction of processing to each recipient to whom the personal data has been disclosed.

Rights related to automated decision making including profiling

  • Automated decision (Making a decision solely by automated means without any human involvement).

  • Profiling (automated processing of personal data to evaluate certain things about an individual). Profiling can be part of an automated decision-making process.

The GDPR applies to all automated individual decision-making and profiling.

We will explain each of these rights in detail with examples in our upcoming posts, so watch this space.