What Are An Individual’s Rights Under GDPR?

Understanding the 8 individual rights

There’s more to general data protection regulation (GDPR) legislation than its guide for storage and security. You must also respect individual rights under GDPR – eight powers that any data subject has to either gain, delete or move their information. 

These are: the right to be informed, the right of access, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability, the right to object, and the rights in relation to automated decision-making and profiling.

Someone may come to you at any time with one of these rights at their disposal. To stay in line with GDPR, it’s important to understand what they are and what they mean for your company. 

1. The right to be informed

First, there should be no confusion whatsoever on the data in question. Create a simple, transparent statement of the information you’re gathering, why you’re using it and the length of time it will be stored [LINK: What Do You Need To Know About Storing Data Under GDPR?]. 

Explicit consent should be given for most personal data. This can form – for instance – part of your service agreement. Online consent boxes count too.

2. The right of access

Do not bar the individual from their data with a paywall or withheld access. They need to get it easily, and in a format that almost anyone can use. 

Typically, this will be an electronic file. Google, Apple and Facebook are just some examples of companies that enable their users to pick and choose a type of file to download for their public interest requests. 

3. The right to rectification

Sometimes, there may be a fault with the data itself – it could be inaccurate or incomplete. Individuals can ask to rectify this so that it better reflects who they are and what they’ve done. 

Keep your decision-making and profiling watertight, and this shouldn’t be a problem. 

4. The right to erasure

There are several instances in which someone may want you to delete their records: 

  • Processing of personal data has become irrelevant; you don’t need to keep it anymore, or a user agreement/probationary period has ended
  • The processing was unlawful 
  • Consent has been withdrawn
  • Any objection is raised by the individual, including objections to the processing

When the request arrives, removal must take place immediately, or as close to immediately as you are able to do. 

5. The right to restrict processing

If someone questions the validity or accuracy of your data practices, then it is wise to restrict processing until you are certain that nothing is at fault or that changes have been identified. Individual rights under GDPR say that you have to inform relevant third parties about this decision.

They can also exercise this right when the processing was, as the Information Commissioner’s Office (ICO) puts it, ‘necessary for the performance of a task carried out in the public interest or the purposes of legitimate interests’. 

6. The right to data portability

People can ask to remove their data from your processing systems, and give it to another service for their own benefit. 

Ease of movement is facilitated partially by the right to access. Easily downloadable files and common formatting will help here, too.

7. The right to object 

Direct marketing and profiling can be shut down with the right to object, especially when the marketing is manifestly unfounded

Once more, erasure should be immediate. Data collected for historical research relies on the same good faith from the data subject; if they want to get rid of it, you must do so. 

8. The rights in relation to automated decision-making and profiling

Unless authorised by law or a contract, an automated decision and automated processing cannot be the extent of your process. 

The individual can ask for human intervention. Additionally, they may still want a reason for the data being collected or processed at all. Automation doesn’t waver their other rights. 

For a robust analysis of your current system, ask the ICO to send an information commissioner into your business. They will stress-test any data points and see where your policy might be falling short. 


Otherwise, use our legal advice for HR or ask about our data protection contract support. Contact us today to see how we can help.

Call now 0333 200 5859