Data subjects’ rights under the GDPR

What is personal data and who is a data subject?

Everyone has the right to the protection of their personal data. Whilst not an absolute right, this right is enshrined in the Charter of Fundamental Rights of the EU.

The General Data Protection Regulation (“GDPR”) simplifies the regulatory environment for international businesses and data subjects alike and is designed to give individuals control over their personal data. Personal data is any information relating to a data subject, namely any natural person who is identified or identifiable.

Under the GDPR, an identifiable natural person is considered to be any person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

What is processing?

Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means. This includes collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data.

What rights do you have as a data subject?

The following rights are set out in the GDPR:

Right to be informed

At the time your personal data is collected by a controller, you have the right to be informed about a number of matters relating to the controller and the use of the use of your personal data.This includes being informed of the purposes for processing of your data, the legal basis for processing, retention periods and who it will be shared with.

A controller must also inform you if they use automated decision making, including profiling and the consequences of such processing. In addition to providing information on the processing, a controller is required to inform you of your rights as a data subject. All information provided to you must be concise, transparent, intelligible, easily accessible and in plain language.

Where information is collected about you from a third party, the controller still has the obligation to notify you about the collection of your data.

Right of access

The purpose of the right of access is to allow you to access your personal data so that you can be aware of and verify the lawfulness of the processing. You may also request a copy of your personal data, which you are entitled to receive unless providing this copy adversely affects the rights and freedoms of others.

A copy of such information must be provided to you free of charge (unless the request is excessive or repetitive). The copy must be provided without delay and at the latest within one month. If the request is made electronically, the information should be provided in electronic format.

You also have the right to request a confirmation that your data is being processed, why it is being processed as well as certain information including the type and categories of personal data being processed, retention periods and other recipients of your personal data.

Right to rectification

You have the right to have inaccurate personal data rectified, and incomplete personal data completed. A request for rectification may be made verbally or in writing and must be responded to within one calendar month.

Right to erasure

This right to erasure is also known as the right to be forgotten. You can invoke this right on certain conditions. For example, a controller must delete your data where:

  • your data has been unlawfully processed
  • a controller no longer needs the data for the purposes for which it was collected
  • processing occurs on the basis of consent provided by you and you withdraw your consent (and there is no other legal basis for processing)
  • you object to processing for direct marketing purposes.

Once you request erasure of your personal data for one of the reasons set out in the GDPR, as long as the controller has no other legal basis to retain your data (for example complying with a legal obligation under EU or domestic law, public health grounds or where the controls is acting in the capacity of an official authority), the controller must delete your data without delay.

Right to be notified of a personal data breach

A controller must inform you without delay of a personal data breach incident affecting you, which is likely to result in a high risk to your rights.
An incident is defined as, “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”

Right to restriction of processing

You have the right to request the restriction of processing of your personal data, either verbally or in writing, thereby limiting the way that an organisation uses your data. A request must be responded to within one month.

This is not an absolute right and only applies in certain circumstances, which include where processing of your personal data was unlawful, where the personal data being processed is inaccurate or where you challenge the legal basis of the processing.

When processing is restricted, personal data may be stored, but may not be used by the controller. Before lifting the data processing restriction, the controller has an obligation to notify you.

Right to data portability

This right applies to personal data about you which was provided by you. The right to data portability enables you to obtain and reuse your personal data for your own purposes.
It allows you to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, and to receive data from one controller and transmit it to a different controller without hindrance to usability.

Right to object

You may have the right to object to the processing of your personal data in certain circumstances, for example where your data is being processed for direct marketing (including profiling) or for purposes of scientific or historical research and statistics (unless this is in the public interest).

You may also have the right to object to the processing of your personal data where your data is being processed based on legitimate interests or the performance of a task in the exercise of official authority. Following an objection, a controller will no longer be allowed to process your personal data unless he can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms.

Right to object to automated individual decision making

You have a right not to be subject to decisions based on automated individual decision making, including profiling, if the decisions produce legal effects or otherwise significantly affect you. Such automated decision making can be used if it is:

  • necessary to enter into, or to perform, a contract between you and the controller;
  • authorised by Union or Member State law; or
  • based on your express consent.

Right to withdraw consent

You must be informed of your right of withdrawal before giving your consent to a controller for the processing of your personal data. The GDPR’s objective is that it should be as easy for you to withdraw your consent as it is to give it.

Data subjects should be allowed to withdraw their consent through the same method as it was obtained. In practical terms, being informed of your “right to withdraw your consent” is considered a necessary part of obtaining genuine consent from you.

Right to a remedy

If your personal data is processed in a way that does not comply with the GDPR, you may lodge a complaint with supervisory authorities, who are obliged to inform you of the progress and outcome of your complaint.

In addition, you have:
the right to a judicial remedy where a competent supervisory authority fails to deal properly with a complaint;
the right to a judicial remedy against a relevant controller or processor; and
the right to compensation from a relevant controller or processor for material or non-material damage resulting from infringement of the GDPR.

You also have the right of appeal to national courts against a legally binding decision concerning you made by a supervisory authority. You can bring a claim for non-pecuniary loss, not just for compensation. The potential for group actions to be brought is also facilitated under the GDPR.

Right to representation

You have the right to mandate a not-for-profit body or similar organization properly constituted for this purpose, to lodge a complaint on your behalf, to exercise certain rights on your behalf, and to exercise the right to receive compensation referred on your behalf.

Our expertise

Our Data Protection Practice is actively advising on GDPR compliance and supports controllers, processors and DPOs with their obligations, as well as representing data subjects.

We advise data controllers, processors, DPOs and data subjects on GDPR compliance and their respective rights and obligations in processing situations such as profiling and automated decision-making, anonymisation and pseudonymization, processing special categories of data and transfers outside the EU.

Contact us to discuss your precise requirements.