The eight rights of individuals under GDPR

Under GDPR the privacy rights for individuals will be enhanced and individuals are increasingly aware of their privacy rights. This will only increase once GDPR comes in to force on 25 May. This article will look at the eight privacy rights for individuals when it comes to the processing of their personal data.


These rights need to be detailed in your privacy notice. For more information on privacy notices you can read our previous article here. The eight rights for individuals are:


1)The right to be informed


This means that the individual should know what personal data you are collecting on their behalf, why you are collecting their personal data and who has access it in relation to third parties. For example, if you use an outsourced payroll provider to process employee wages this would need to be detailed in your privacy notice.


2)The right to access personal data


This means the individual has the right to access their personal data. This will come via a data access request and you will have up to one month to give them their personal data unless it is excessive and then you should keep the individual informed of this. You can read more information about managing data access requests here.


3)The right to rectification


This right means that if the individual contacts your business and asks for their data to be updated and amended, this must be carried out. In particular, this should be carried out if there is an error in their data and this could have an impact on them. A good example of this would be incorrect personal data in relation to an individual’s credit history which needs to be amended.


4)The right to erasure


This is often referred to as the right to be forgotten whereby all personal data relating to an individual should be erased and no longer kept on any paper-based or electronic systems, including back up data. However, if there is a regulatory or legal requirement to retain the data, this overrides the right to be forgotten so this particular right is not absolute.


5)The right to restrict processing


This means that an individual can limit the way a business processes their personal data and is an alternative option to requesting the full erasure of their data. They may request this because they have issues with the content of the information you hold or how you have processed their personal data. In most cases you will not be required to restrict an individual’s personal data indefinitely but will need to have the restriction in place for a certain period of time. Like the right to erasure, this is not an absolute right if a regulatory or legal requirement overrides this right. For example, if a legal claim needs to be defended the personal data would be processed for that purpose.


6)The right to data portability


This right allows an individual to request that their personal data be transferred over to some other business and it only applies to data controllers. An example of this might be that an individual wants to transfer their data from one utility company to another. It allows them to move, copy or transfer personal data easily from one business to another in a safe and secure way and the data should be provided in a structured, commonly used and machine-readable format.


7)The right to object


An individual has the right to object to the following:


•processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling)
•direct marketing (including profiling)
•processing for purposes of scientific/historical research and statistics


It is essential that if you receive an objection to direct marketing, this activity must be stopped immediately.


8)Rights to automated decision making and profiling


Businesses will need to state if they use automated profiling so that an individual can request if they need to be aware of any automated decisions that have been made and whether it will stop them doing or obtaining something. An example of this might be a CV selection software that has no human intervention and it matches the keywords from a job advert with the CVs of potential candidates.


If you would like more information on GDPR or to discuss your requirements further, please contact Helen at SFA on 01 6051668 or at or visit our GDPR section on

Facebook Twitter LinkedIn Digg Yammer
In this issue
SFA E-zine – The Tuesday Edition
The eight rights of individuals under GDPR
SFA Annual Conference – FREE to members
Digitisation and small business - survey
Health Workplaces- Manage dangerous substances campaign
Feature your business in the SFA’s Better Business magazine
New fraud prevention guide launch for business
PAYE modernisation – what every employer needs to know
GDPR for Small Firms training course
SFA Annual Conference - Time to transform
Radio interview skills with PR guru Ellen Gunning