GDPR- Individual Rights and their Data
The Rights of the Individual regarding data held about them under GDPR
Every individual whose data is held by another party is given certain rights under General Data Protection Regulation. These should be set out in the Privacy Notice of that party. It must also set out how every individual can exercise those rights. Failure to deal with any request from an individual is a breach of GDPR.
The Individual or Data Subject covers any living individual whose personal data is collected, held or processed by an organisation. Personal data is any data that can be used to identify that individual e.g. Name, address or credit card number.
The rights are:
1. The Right of Confirmation
The Individual has the right to obtain confirmation from the organisation as to if their data is being processed.
2. The Right of Access
Every Individual can request from the organisation a free copy of any personal data they hold about them. This must be replied to within 30 days. The Individual can also ask if their data is being transferred outside the UK and if so, what safeguards are in place.
3. The Right of Rectification
If the Individual finds the information held about them is inaccurate or incomplete, then they can request it be corrected or completed.
4. The Right to Erasure/Be Forgotten
The Individual can request that their data be erased. This must be done unless there are legal reasons for its retention.
5. The Right of Restriction of Processing
The Individual can request that the way his or her data is used is restricted. This might occur if the organisation needs to retain some but not all the data for legal reasons.
6. The Right of Data Portability
Individuals have the right to obtain their data in a structured, commonly used and machine-readable format so they can use it for a different purpose. This is only data that has been provided under a contract or by consent.
7. The Right to Object
Any Individual can object to their data being processed by the organisation. This is if it is collected under legitimate interests or performance under an official authority. The organisation must comply unless there are compelling legitimate grounds not to do so.
8. Right to Withdraw Consent
Any individual can withdraw their consent for their data to be processed at any time.
9. Rights relating to Automated Decision-Making including profiling
Every Individual has the right not to be subject to a decision based solely on automated processing including profiling which uses data to make calculated assumptions about individuals.
Every organisation must put in place a process as to how to deal with requests from an Individual in accordance with the regulations to avoid complaints to the ICO.
If you need any guidance or help as to what you need to do please contact us on anne@barkleylegal.co.uk