UK General Data Protection Regulation (UK GDPR)
Data subject rights under the UK GDPR
The UK General Data Protection Regulation (UK GDPR) provides certain rights for individuals whose personal data is being used, processed or transferred. These individuals are known as data subjects.
Individuals' rights under the UK GDPR
Under the regulation, individuals can exercise:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object to processing
- The rights in relation to automated decision making and profiling
1. Right to be informed
This right is about providing individuals with clear and concise information about what you do with their personal data. Under the UK GDPR, you must give data subjects specific privacy information about:
- your business
- your purposes and lawful basis for processing their personal data
- who the data will be shared with, including details of international transfers
- your retention periods for that personal data
- the rights available to them in respect of processing
- the right to lodge a complaint
Depending on the type of processing you do, you may need to provide other categories of information as well. For example:
- if you obtain data from a third party, you will need to tell individuals what categories of their personal data you obtained and from what source
- if you obtain data through consent, you will need to include in your privacy information the right to withdraw consent
You must give privacy information to data subjects at the time you collect their data from them, or within a reasonable period (no later than one month) if you obtain personal data from other sources. You must also provide it in a concise, transparent, intelligible and easily accessible way, and in clear and plain language.
The Information Commissioner's Office (ICO) has a detailed guide to help you comply with the right to be informed.
2. Right of access (known as subject access request)
Individuals have the right to access and receive a copy of their personal data, and other supplementary information. This is commonly referred to as a 'subject access request' (SAR).
Individuals can make SARs verbally or in writing, including via social media. A request will be valid if it is clear that the individual is asking for their own personal data. A third party (eg a relative, friend or solicitor) can also make a SAR on the individual's behalf. They should provide evidence of their entitlement to act on behalf of the data subject.
If you receive a valid SAR:
- you should perform a reasonable search for the requested information
- you should respond without delay and within one month of receipt of the request
- you may extend the time limit by a further two months in certain circumstances
- you should provide the information in an accessible, concise and intelligible format
- you should disclose information securely
You can only refuse to provide the information if an exemption or restriction applies, or if the request is manifestly unfounded or excessive. In most circumstances, you cannot charge a fee to deal with a request. Read more about dealing with subject access requests.
3. Right of rectification
The UK GDPR includes a right for individuals to have inaccurate personal data rectified, or completed if it is incomplete. A request for rectification can be made verbally or in writing.
If you receive such a request, you should respond to it without undue delay and within one month of receipt, unless you can extend the time limit to respond. You should take reasonable steps to satisfy yourself that the data is accurate and to rectify the data if necessary. You may be able to refuse a request in certain circumstances. Find out more about the right to rectification.
4. Right to erasure (also known as the right to be forgotten)
In certain circumstances, individuals have the right to ask you to erase their personal data if:
- you have processed their data unlawfully
- you no longer need the data for the original purpose
- you rely on consent for processing or holding the data, and they withdraw it
- they exercise their right to object to processing, and you can't override their objection
- erasure is necessary for compliance with other legal obligations
If you process data collected from children, you should give particular weight to any request for erasure if the processing of the data is based upon consent given by a child - especially any processing of their personal data on the internet.
Requests for erasure can be made verbally or in writing. You have one month to respond to a request, although you can extend the time to respond by a further two months if the request is complex or you have received a number of requests from the individual. If an exemption applies, you can refuse to comply with a request for erasure (wholly or partly). Read more about the right to erasure.
5. Right to restrict processing
Individuals can ask you to restrict processing their personal data if, for example:
- they believe their data is not accurate and you are verifying the accuracy of the data
- the processing is unlawful but the individual doesn't want the data erased
- you no longer need the data but the individual needs it to exercise a legal claim
- you are taking steps to verify overriding grounds in the context of a request
If someone asks you to restrict processing, you will be allowed to store the data, but won't be able to use it. Requests for restriction can be made verbally or in writing. You have one calendar month to respond to a request. Find out more about the right to restrict processing.
If someone asks you to rectify, erase or restrict processing their data, you must notify any third party with whom you shared the data that the individual has exercised those rights.
6. Right to data portability
This right allows individuals to receive a copy of their personal data for personal use and/or to have their personal data transmitted from one controller to another controller. This right only applies when:
- your lawful basis for processing this information is consent or contract
- you are carrying out the processing by automated means (ie excluding paper files)
For example, the right would apply if an individual wants to retrieve their contact list from a webmail application to build a wedding list or to store their data in a personal data store. Read more about the right to data portability.
7. Right to object to processing
The UK GDPR gives individuals the right to object to the processing of their personal data in certain circumstances. Individuals have the absolute right to object to the processing if it is for direct marketing purposes. Individuals can also object if the processing is for:
- a task carried out in the public interest
- the exercise of official authority vested in you, or
- your legitimate interests (or those of a third party)
In these circumstances the right to object is not absolute. The objection has to be justified and can be made verbally or in writing.
If someone objects to your processing of their data, you may have to stop it unless you can demonstrate that:
- you have compelling legitimate grounds for processing which override the interests, rights and freedoms of the individual
- the processing is necessary in connection with legal rights
See more on the right to object.
8. Right related to automated decision making including profiling
Under the UK GDPR, individuals have the right not to be subject to a decision that is based on:
- automated individual decision-making - ie making a decision solely by automated means without any human involvement
- profiling - automated processing of personal data to evaluate certain things about an individual
You should consider asking data subjects to consent if you need to process their data automatically for evaluation purposes. Read more about the rights related to profiling and automated decision-making.
This guide does not constitute legal advice and is provided for general information purposes only.
ICO Helpline0303 123 1113