Data subjects' rights

The General Data Protection Regulation (GDPR) strengthens the rights of anyone whose personal data is processed (a data subject) in several respects. The regulation also establishes a number of new rights.

Right to information
Right to inspect
Right to rectification and completion
Right to be forgotten or to erasure
Right to restriction of data processing
Right to data portability
Right to object
Right not to be subjected to automated individual decision-making
Right to revoke consent

An organisation has the option of limiting a data subject's rights.
Restrictions of a data subject's rights

Right to information

An organisation is required to ensure that a data subject is properly, understandably and transparently informed whenever their personal data is processed along with the purpose of such processing (Articles 12 to 14 of the GDPR). Furthermore, a data controller is required to pass on their identity and contact details and state the retention period applicable in relation to the relevant personal data. The precise information which must be supplied depends on the personal data that has been collected from the data subject themself or has been obtained from some other source (Articles 13 to 14 of the GDPR). These articles also reveal that the data subject need not be informed if they already possess the relevant information, for example, or where this would require a disproportionate effort.

Right to inspect

Exercising their right to inspect (Article 15 of the GDPR), a data subject may obtain from an organisation access to inspect the personal data concerning them which that organisation processes. In the event that an organisation receives a request to inspect data, in its reply it is required to reveal, amongst other things, why certain personal data is processed and what types of personal data (categories) are retained. What is new in the GDPR is that an organisation is also required to hand over a copy of the personal data that is processed. Where the right to inspect is reasonably invoked, the relevant copy must be provided free of charge. However, a reasonable fee may be charged for any additional copies. What is also important is that Article 15(4) of the GDPR stipulates that entitlement to receive a copy may not infringe the rights and freedoms of anyone else. As such, an organisation must ensure that such a copy does not entail the provision to the relevant data subject of any other person’s personal data.

Right to rectification and completion

Article 16 of the GDPR stipulates that, where an error occurs while data is processed, the relevant data subject is entitled to rectify and correct information and to complete it where necessary. This is in line with the right to notification stipulated in Article 19 of the GDPR.

Right to be forgotten or to erasure

In certain cases an organisation is required to erase personal data at the request of the relevant data subject (Article 17 of the GDPR). Such a request from a data subject must satisfy a number of conditions if it is to be honoured. For example, this may involve a situation in which a data subject revokes their consent to processing or a situation in which their personal data has been processed unlawfully (see also Article 17(2) of the GDPR – an organisation’s duty to adopt any available technical measures to erase personal data which has been publicly disclosed where it should have been erased in accordance with Article 17(1) of the GDPR). Article 17(3) of the GDPR provides for an exception in any situation in which it is impossible to invoke the right to have data erased and to be forgotten.

Right to restriction of data processing

Article 18 of the GDPR mentions the circumstances in which a data subject may exercise their right to restrict personal data processing. For example, the data must be incorrect or it must have been processed unlawfully. The data controller also needs to notify another party when such personal data has been forwarded to that organisation. In the event that processing needs to be restricted, a data controller may nevertheless continue to process the relevant personal data, provided that, amongst other things, the data subject has consented to this or there are compelling grounds in the public interest.

Right to data portability

With the introduction of the right to data portability (Article 20 of the GDPR), a data subject will acquire the right to transfer their data. This new right means that people are entitled to receive any data which an organisation has concerning them and to be able to transfer it to another organisation. The right to data portability is confined to personal data which is processed in computerised form either based on the relevant data subject’s consent – Articles 6(1)(a) and 9(2)(a) – or which is necessary for the purposes of executing an agreement with the data subject.

Right to object

A data subject is entitled to object to an organisation processing personal data pursuant to a legitimate interest or a task of general interest (Article 21 of the GDPR). Should a data subject object to their personal data being processed, the data controller is required to cease processing that data, unless the organisation presents compelling, legitimate grounds for such processing. Such legitimate grounds must override the interests, rights and freedoms of the relevant data subject or must involve a legal claim.

Right not to be subjected to automated individual decision-making

In principle, a data subject is entitled not to be required to heed any decision taken by a data processing organisation that is solely based on automated processing, which is deemed to include profiling (Article 22(1) of the GDPR). This would be the case for instance if the relevant decision had implications for them, for example. This right does not apply where such decision is required for the purposes of executing an agreement, if it is permitted in relation to the relevant organisation pursuant to a provision of the law or where it is based on the explicit consent of the data subject concerned.

Right to revoke consent

A data subject shall at all times be entitled to revoke any consent that has already been given. The revocation of consent will not apply retrospectively. As such, any processing that has already occurred will remain lawful.

Restrictions of a data subject's rights

An organisation may restrict a data subject's rights in accordance with a provision of the law (Article 23 of the GDPR). In this respect, such a restriction must not affect the essence of any fundamental rights and freedoms. Such restriction must constitute a necessary, proportionate measure for the purposes of securing national or public security, objectives of public interest, protecting the relevant data subject or other parties' rights and freedoms. The provisions of the law must satisfy the criteria stipulated in Article 23(2) of the GDPR.