Individual, living human beings, whose personal data are being stored and used by an organisation, are called data subjects. Regulation (EU) 2016/679, the General Data Protection Regulation, also known as the GDPR, establishes a number of rights that all data subjects have.
An organisation that stores and uses personal data for its own purposes is called a data controller or simply controller. The activity of storing and using personal data is called processing.
- The right to be informed
Article 12 of the GDPR states that data controllers have an obligation to provide certain information to data subjects. There is a slight difference in what that information is, depending on whether the personal data have been obtained directly from the data subject or from another source. This information includes the identity and contact details of the data controller, what personal data are being processed, why they are being processed, and the lawful basis under which that processing takes place. This and other information must be provided "in a concise, transparent, intelligible and easily accessible form, using clear and plain language".
- The right of access
Article 15 states that anyone whose data are being processed has the right to access that personal data. The controller should provide a copy of the data within one month of receiving the request, and if the request is made electronically and the data subject does not specify otherwise, the copy may be delivered electronically. The controller should also provide the data subject with the information required to be provided under Articles 13 or 14 depending on whether the personal data were obtained directly from the data subject. If a person is not sure whether an organisation is or is not processing personal data about themselves, Article 15 also provides that the controller should give confirmation either way, then provide access if they are.
- The right to rectification
Article 16 gives the data subject the right to correct any inaccuracies in personal data being processed by a controller. This should be done, and information given in confirmation, within one month of receipt of the request.
- The right to erasure
Also known as 'the right to be forgotten', Article 17 gives data subjects the right to have their personal data erased or destroyed by the controller. It also places an obligation upon data controllers to erase personal data under other circumstances, such as when they are no longer necessary or have been unlawfully processed, even where the data subject has not requested it. In certain cases, the controller may refuse to erase personal data, such as for the establishment, exercise or defence of legal claims.
- The right to restriction of processing
Sometimes a data subject might wish for certain processing activities to stop for a certain length of time, for example while dealing with an inaccuracy, or where they would request erasure but require that the controller maintain records for the data subject's establishment, exercise or defence of legal claims. Article 18 provides that the controller must comply with such requests, and that they may only thereafter store the personal data except with the data subject's consent, unless it is for the establishment, exercise or defence of legal claims, the protection of another's rights, or reasons of important public interest. If the controller intends to lift the restriction, they must first inform the data subject.
- The right to data portability
In certain situations, the data subject may wish to extract his or her personal data from the records of the data controller so that they can be moved or copied for use elsewhere, for example if the data subject provided personal data relevant to the provision of a service, and now wishes to change their service provider. Article 20 gives data subjects the right to receive this data "in a structured, commonly used and machine-readable format". This applies where the basis on which the data are processed by the controller is consent, where the data is processed according to a contract between the data subject and the controller, or where processing is carried out by automated means. The data subject also has the right to have the personal data transmitted directly to another controller, "where technically feasible".
- The right to object
Article 21 provides that a data subject may object to the processing of their personal data in certain circumstances, and for the personal data to no longer be processed for those purposes. In particular, there is an absolute right to object to the processing of personal data for the purpose of direct marketing, and where the data subject so objects, the controller may not continue to process it for that purpose. If personal data is processed on the basis that it is "necessary for the performance of a task carried out in the public interest or in the exercise of official authority", or "for the purposes of the legitimate interest pursued by the controller or by a third party", then the controller may not continue to process the personal data once the data subject has objected, unless they demonstrate "compelling legitimate grounds" which override the dat subject's rights, or where processing is necessary for the establishment, exercise or defence of legal claims.
- Rights relating to automated decision-making (ADM)
In most cases, the data subject has the right not to have decisions made about him or her automatically, such as by a computer, where this has a legal effect or a similar significant effect. Article 22 provides that the data subject may give explicit consent, other laws may authorise the use of ADM with certain safeguards, and that it is acceptable to use ADM where it is necessary for entering into or performing a contract. In any case, suitable measures need to be implemented to safeguard the data subjects rights and freedoms, and it must be possible to obtain human intervention, express one's point of view, and contest the automated decision. ADM may not be based on special categories of personal data such as religion or sexual preference, unless either the data subject has explicitly consented to this, or it is necessary "for reasons of substantial public interest" with a basis in law.
- The right to be notified of a data breach
A personal data breach is any breach of security that leads to the accidental or unlawful destruction, loss, disclosure of or access to personal data. Where a breach is likely to result in a high risk to the rights and freedoms of living human beings, Article 34 provides that the controller must notify the data subject that the breach has occurred, and provide the required information in clear and plain language.
The exercise of these rights and the information given to the data subject should be free of charge. However, if a request is deemed to be "manifestly unfounded or excessive", which the controller must be prepared to demonstrate, they may either charge a "reasonable fee" or refuse to act on the request.
It should be noted that these rights may be restricted by national law in any country where the GDPR is applicable or has been adopted, for example to safeguard national security, or for the prosecution of criminal offences.