The GDPR also has identified 8 fundamental rights that all data subjects are afforded.
It is the duty of an organisation to identify where these rights are applicable and (if so) uphold them within their data processing activities.
- The right to be Informed – A Data Subject has the right to be informed about how their data is being collected, processed, stored and used. They also have the right to be informed about how they can exercise their other fundamental rights. Organisations must detail this in Privacy Notices.
- The right of Access – A Data Subject has the right to request what information an organisation has about the Data Subject and what the organisation is doing with that information. The organisation must also provide any 3rd party data processing information. The organisation providing the information must do so free of charge within 30 days.
- The right to Rectification – A Data Subject has the right to correct the information which an organisation has about them.
- The right to Erasure (also known as the right to be forgotten) – A Data Subject has the right to request that their data is erased. They can ask for erasure if 1) they withdraw consent, 2) they turn 18 years of age (below 18 it was felt that the person may not have understood what they agreed to and therefore have the right to have their data deleted), 3) you’ve processed the personal data unlawfully, 4) you are processing the personal data for direct marketing purposes and the individual objects to this, etc.
- The right to Restrict – A Data Subject has the right to block or suppress the processing of their personal data.
- The right to Data Portability – A Data Subject has the right to request a copy of their personal data in a commonly used ‘machine-readable format’ (e.g. as a .pdf file). This right only applies to personal data that the data subject has provided to your organisation. Additionally this right only applies if the lawful basis of processing is consent or performance of a contract and the processing is carried out by automated means. This data must be transferred in a secure manner.
- The right to Object – This applies in specific situations. If an organisation is data processing for the purpose of; direct marketing, scientific and historical research, or for the performance of a task in the public interest, then a data subject can invoke their right to object. This right compels an organisation to stop the use of personal data for these purposes.
- Rights in relation to automated decision making and profiling – Data subjects have rights in relation to automated decision making and profiling which aim to eliminate the negative consequences of faulty or incorrect automated processes.