Data subject rights are one of the key areas of change under the General Data Protection Regulation (GDPR). From 25 May 2018, data subjects can evoke a greater set of rights against businesses and organisations that process their personal data.
What is a data subject?
A data subject is a living, identifiable individual to whom particular personal data relates. If you process their data, the GDPR requires you to meet certain obligations towards them. See definition of personal data in what is the GDPR.
What are the rights of the data subject?
Under the GDPR, individuals can exercise:
- the right to be informed
- the right of access
- the right to rectification
- the right to erasure
- the right to restrict processing
- the right to data portability
- the right to object to processing
- the rights in relation to automated decision making and profiling
Right to be informed
Individuals have the right to be informed about the collection and use of their personal data. Under the GDPR, you must give data subjects specific privacy information about:
- your business
- the data processing activities you carry out
- the length of time you will keep the data
- the rights available to them in respect of processing
- the right to lodge a complaint
Depending on the type of processing you do, you may need to provide other categories of information as well. For example, if you obtain data from a third party, you will need to tell individuals what categories of their personal data you obtained and from what source.
See the full list of privacy information you should give individuals.
Under the GDPR, you must give privacy information to data subjects:
- at the time you collect their data
- in a concise, transparent, intelligible and easily accessible way
- in clear and plain language
- free of charge
See more on privacy notices under the GDPR.
The Information Commissioner's Office has prepared a detailed guide to help you comply with the right to be informed.
Right of access
Under the GDPR, data subjects have the right of access to personal data. If they ask you, you must give data subjects:
- confirmation of whether you are processing their data
- other supplementary information (including mandatory privacy information)
- a copy of the personal data being processed
You must comply with a subject access request within one month of receipt, unless in specific circumstances. Read more about dealing with subject access requests.
Right of rectification
This right under the GDPR remains largely unchanged. Data subjects can ask data controllers to erase or rectify inaccurate or incomplete data. The law gives you one month to comply with such requests. Find out more about the right to rectification.
Right to erasure (also known as right to be forgotten)
Under the GDPR, individuals have to right to ask you to delete their personal data if:
- you have processed their data unlawfully
- you no longer need the data for the original purpose (and you have no new lawful purpose)
- you rely on consent for processing and they withdraw it (and there are no other legal grounds you can apply)
- they exercise their right to object to processing, and you can't override their objection
- erasure is necessary for compliance with other EU or national law
Read more about the right to erasure.
Right to restrict processing
Individuals can ask you to restrict processing their personal data if, for example:
- they believe their data is not accurate (you should stop processing until you verify the accuracy of the data)
- the processing is unlawful but the individual doesn't want the data erased
- you no longer need the data but the individual needs it to exercise a legal claim
- you are taking steps to verify overriding grounds in the context of an erasure request
If someone asks you to restrict processing, you will be allowed to store the data, but won't be able to carry out any processing. Find out more about the right to restrict processing.
Note that in the case of rectification, erasure or restriction you must notify any third party with whom you shared the relevant data that the data subject has exercised those rights.
Right to object to processing
If you rely on lawful bases of public interest or legitimate interests for processing, individuals may have a right to object to such processing. The objection has to be justified and can be made verbally or in writing. You may have to cease processing unless you can demonstrate that:
- you have compelling legitimate grounds for processing which override the interests, rights and freedoms of the individual
- the processing is necessary in connection with legal rights
Data subjects can also object to processing for the purposes of direct marketing, including profiling. They also have rights in respect of direct marketing under the ePrivacy Directive.
See more on the right to object.
Right to not be evaluated based on automated processing
Under the GDPR, individuals have the right not to be subject to a decision that is based solely on automated processing and which significantly affects them (eg profiling for jobs, insurance premiums etc).
You should consider asking data subjects to consent if you need to process their data automatically for evaluation purposes. Read more about rights related to profiling and automated decision-making.
How to comply with data subject rights?
To avoid non-compliance, it's important to really understand how these rights work and when they may apply. You should review your processes, and update them if necessary, to enable you to meet the revised timescales and adequately respond to data subject requests.
Find out more about the privacy rights of individuals under the GDPR.
This guide aims to help you understand GDPR and your obligations under the law, but it does not constitute legal advice. For definitive legal guidance, see the ICO's guide on GDPR or consider getting independent legal advice.