The rights of individuals over personal data

As a data handler, you should be able to engage with the following rights, which are emerging globally. Some are based in data protection regulations, other are best practice.

Right to be informed

Individuals have the right to be informed about how personal data about them is collected and used.

This information should be

  • presented in a privacy notice
  • presented to the individual when data is collected
  • specific
  • written in clear, concise language and easily accessible

Right to access (subject access requests)

People have the right to request a copy of the personal information about them.

Exceptions include:

  • information used for criminal proceedings
  • other sensitive legal obligations

Right to rectification

Individuals have the right to have personal data corrected if it is inaccurate or incomplete.

The data controller also has responsibilities to ensure the data is corrected if it is shared with others.

Right to be forgotten

The right to be forgotten (or the right to data erasure) entitles an individual to direct the controller to:

  • erase personal data about them
  • cease further sharing of the data
  • potentially halt processing of the data by third parties

Right to restrict processing

Individuals have a right to ‘block’ or suppress processing of personal data. 

Such rights can be exercised when the:

  • accuracy of the personal data is contested
  • individual has objected to the processing (only in the case of performance of a public task or legitimate interest)
  • processing is unlawful
  • data is needed for future reference but should no longer be processed

Right to data portability

Individuals can request that personal data about them be transferred directly to another controller.

For example, the global open banking initiative allows customers to directly transfer personal data between financial service providers, meaning you can change bank without having to fill in endless forms.

Right to object or withdraw consent

If the lawful basis for processing is based on having consent, the individual has the right to withdraw that consent at any time. 

The process of withdrawing consent must be as easy as giving consent in the first place.

If a different lawful basis - other than consent - is being used as the basis for processing personal data, individuals may have the right to object to that processing.

Right to not be subject solely to automated decision making

Individuals have the right to not be subject to a decision based solely on automated processing, including profiling. Individuals must be:

  • informed about the automated processing
  • able to request human intervention or challenge a decision

Graphic with representative images of rights and ownership