Data subjects have certain rights under the General Data Protection Regulation (GDPR) which was implemented into the United Kingdom (UK) with the Data Protection Act 2018. Personal data is information that relates to an identified or identifiable individual. That information could be a name, number, or IP address. The identified or identifiable individual would be known as a data subject providing that they are a living person. Data subjects have the following rights:
Right to be informed:
Right of access:
Article 15 of the GDPR states that a data subject has the right to gain confirmation as to whether or not data about them is being processed from the data controller, where it is, access to the personal data and certain additional information. In most situations the data subject should receive a copy of the personal data free of charge if requested. Any additional copies requested by the data subject can be charged at a reasonable fee based on administrative costs.
Rights to rectification:
Articles 16 of the GDPR provides a right to request that inaccurate or incomplete personal data is rectified. This right is connected to the obligation under the GDPR data protection principle that requires personal data to be accurate and kept up to date.
Right to erasure:
Article 17 of the GDPR gives a right to erasure also known as the ‘right to be forgotten’. Data subjects can require a data controller to erase their personal data ‘without undue delay’. Data controllers have an obligation to erase personal data without undue delay when there is no longer any legitimate reason for processing.
Right to restrict processing:
Article 18 of the GDPR gives data subjects the right to restrict or block processing of their personal data. This is different from erasure as it still allows personal data to be stored but prevents it from being processed further.
Right to data portability:
Article 20 of the GDPR gives a right to data portability which is a right to receive and/or transfer personal data. Data portability allows individuals to receive their own personal data in a commonly used machine-readable format so they can transmit that data to another controller. Individuals can reuse their personal data for their own purposes.
Right to object:
Article 21(1) gives data subjects the right to object to the following processing of their personal data:
- Processing justified based on a legitimate interest which includes profiling, unless the data controller can show compelling legitimate grounds for the processing that overrides the rights, interests, and freedoms of the data subject, or for the establishment or defence of legal claims.
- Direct marketing which includes profiling.
- Processing for the purposes of historical/scientific research and statistics, unless the processing is necessary to perform a task carried out for the public interest.
Right not to be subject to automated decision making and profiling:
Article 22 of the GDPR gives rights relating to automated decision making which includes profiling. The Information Commissioner’s Office (ICO) guidance states that automated decision making is a decision made by automated means without any human involvement.
As a business that operates online it is likely that you collect personal data from your clients/customers which makes you a data controller. As a data controller you need to comply with the data protection principles and be aware of the above rights of data subjects.
At Lawdit Stay Legal our packages can take the stress of legal compliance away. We offer a one stop shop solution to keep you on the right side of the law. We will also put legal safeguards in place to assist and protect you and your business if a dispute were to arise. With a free initial consultation there is no need to delay, so book today!