Under the General Data Protection Regulation (GDPR), individuals have several rights over their personal data.
All data controllers and to some extent data processors are expected to be able to respond to individual’s rights request without delay and, in any event, within a month of the receipt of such a request. Therefore, they should be prepared to respond efficiently to any potential inquiry.
The list below provides an overview of each of the individuals’ rights as provided for under the GDPR. However, this list is not exhaustive as Member states may provide for additional rights in their national legisation such as the right to manage your personal data after your death in France.
Content.Enable data subjects to ask for a copy of any personal data concerning themselves and held by the data controller
Comment/scope. The request concerns any data and should not be refused by the data controller except under exceptional circumstances (e.g. abusive request)
Content. Enable data subjects to ask for their personal data to be transferred to another data controller or themselves for reuse purpose
Comment/scope. This right is limited to personal data provided by the data subject for processing based on their consent or the performance of a contract. Any derived data is excluded (e.g. analysis, comments etc.) see here for more details.
Content. This right allows data subjects to ask for their personal data to be amended if they are not accurate or up-to-date.
Comment/scope. This right is normally used following a subject access request.
Content. Enable data subject to ask the data controller to stop processing their data for specific purpose ( data is not deleted and may be used for other purposes the data subject has not objected to).
Comment/scope. The data subject may use their right to object in the following situations:
· Where data processing is based on controller’s legitimate interest or the public interest. In this case, the controller may refuse if it can demonstrate compelling legitimate interest overriding the rights and freedom of the data subject or that it needs the information for the establishment, exercise or defence of a legal claim.
· Where personal data are processed for direct marketing purpose including profiling carried out for direct marketing purpose.
· Where personal data are processed for scientific or historical research purposes or statitisctal purposes (see article 89)
Unless the processing is carried out for reasons of public interest.
Content. Allow the data subject to ask the data controller to remove their personal data.
Comment/Scope. Data subjects may ask for erasure in the following cases:
· Data are no longer necessary or have been unlawfully collected
· The data subject withdraws consent on which the processing is based
· The data subject makes a valid objection to the processing
· The personal data have been collected to offer information society services to children under 18.
Content. Where data subject does not want to delete their personal information, they can ask the data controller to stop processing their personal information under specific circumstances.
The controller has to keep the personal data but cannot used it for any purpose except with the data subject consent or for a legal claim.
Comment/Scope. Data subjects may use their right to restriction in the following circumstances:
·the accuracy of the personal data is contested and therefore the data should not be used during the verification process.
·The processing is unlawful and the data prefer restriction to erasure of the data.
·The controller no longer needs the personal data but the data subject needs them for a legal claim.
·The data subject has objected to the processing, therefore their data should not be processed pending the verification whether or not the legitimate interest of the controller overrides those of the data subject.