Under the General Data Protection Regulation (GDPR), individuals have several rights over their personal data (i.e. right of access, right to data portability etc.)
Controllers and to some extent processors of personal data must be able to handle individual’s rights requests without delay and, in any event, within a month of the receipt of the request. Therefore, they should implement all the technical and organisational measures necessary to respond efficiently to any potential inquiry.
The list below provides an overview of each of the individuals’ rights as provided for under the GDPR. However, this list is not exhaustive as Member states may provide for additional rights in their national legisation such as the right to manage your personal data after your death in France.
Content. data subjects can ask for access and for copy of any personal data concerning themselves and held by the data controller (including its processors).
Comment/scope. The request concerns any data relating to the requestor. The controller may not refuse to respond except under exceptional circumstances (e.g. abusive request)
Content. Data subjects can ask for their personal data to be transferred to another controller or themselves for reuse purpose
Comment/scope. This right is limited to personal data provided by the data subject for processing based on their consent or the performance of a contract. Any derived/inferred data is excluded (e.g. analysis, comments etc.) see here for more details.
Content. This right allows data subjects to amend their data if they are not accurate or up-to-date.
Comment/scope. It concerns any inaccurate data and this right is usually used following a subject access request.
Content. Data subject can ask the data controller to stop processing their data for specific purposes ( data is not deleted and may be used for other purposes of processing to which the data subject has not objected).
Comment/scope. The data subject may use their right to object in the following situations:
· Where data processing is based on controller’s legitimate interest or the public interest. In this case, the controller may refuse if it can demonstrate compelling legitimate interest overriding the rights and freedom of the data subject or that it needs the information for the establishment, exercise or defence of a legal claim;
· Where personal data are processed for direct marketing purpose including profiling carried out for direct marketing purpose;
· Where personal data are processed for scientific or historical research purposes or statitisctal purposes (see article 89) unless the processing is carried out for reasons of public interest.
Content. Allow the data subject to ask controllers to delete their personal data.
Comment/Scope. Data subjects may ask for erasure in the following cases:
· Data are no longer necessary or have been unlawfully collected;
· The data subject withdraws consent on which the processing is based and there is no other legal ground for processing the data;
· The data subject makes a valid objection to the processing;
· The controller has collected personal data to offer information society services to children under 18.
Content. Data subjects can ask controllers to stop processing their personal information under specific circumstances.
The difference with the right to object is that the controller must keep the personal data but cannot process it for any purpose except with the data subject consent or for a legal claim.
Comment/Scope. Data subjects may use their right to restriction in the following circumstances:
·the accuracy of the personal data is contested and therefore the data should not be used during the verification process;
·The processing is unlawful and the data subject prefers restriction to erasure of the data;
·The controller no longer needs the personal data but the data subject needs them for a legal claim.
·The data subject has objected to the processing. The controller must stop processing the data pending the verification as to whether or not the legitimate interest of the controller overrides those of the data subject.