Back to Basics: Data Subjects’ Rights

Wednesday 4th January 2023

Welcome to the second of our Privacy and Data Protection team’s Back to Basics series. Here we look at what privacy rights individuals (data subjects) can impose on organisations which collect personal data (data controllers).

What are individuals’ rights?

1. The right to be informed

Organisations must inform individuals of:

  • the purpose for processing the personal data,
  • where they obtained the personal data ,
  • personal data retention periods,
  • who it will be shared with and
  • the individual’s right to complain to the Information Commissioner, the data protection regulator in the UK (ICO).

All this should be in a customer-facing ‘Privacy Notice’. Sometimes businesses may need to be more specific depending on what the individual is asking for.

2. The right of access

This is known as a ‘Data Subject Access Request’ (DSAR) and is the most frequently used right. Individuals have the right to access and receive a copy of the personal data (and supplementary information) which an organisation holds about them.

DSARs can be verbal or written and may not always be clearly labelled as a DSAR, so it’s important that staff are trained to recognise them.

Organisations must perform a reasonable and proportionate search. They don’t have to conduct disproportionate or unreasonable searches, but can’t refuse to comply with a DSAR simply because it holds a lot of personal data about an individual.

There are a few exemptions to an organisation’s duty to disclose, so it’s not always the case that you need to provide the data.

3. The right to rectification

Individuals have the right to request that an organisation corrects or updates their personal data (e.g. updating a telephone number, address or name). Organisations should ensure personal data held is accurate.

4. The right to erasure

Individuals have the right to request that organisations delete certain types of their personal data. This is known as the ‘right to be forgotten’. Organisations need to do this if keeping the personal data is no longer necessary or an individual withdraws their consent; where the organisation relies on consent for their lawful basis for processing that person’s data.

The right of erasure is not absolute, meaning that organisations can refuse to comply with some or all of a request in certain situations.

5. The right to restrict processing

Individuals may request an organisation to stop or limit the processing of their personal data. In that case a business may continue to store the data, but not process it.

These types of requests might be made if an individual contests the accuracy of their personal data, they believe their data has been unlawfully processed, or has objected (see below) to the business’s processing. If an organisation decides it needs to lift the restriction, it must first tell the individual.

Organisations will also need to tell third party processors to restrict their processing of personal data.

Again, this is not an absolute right so may be refused in certain situations.

6. The right to data portability

This right allows individuals to move, copy or transfer personal data from one organisation to another.

It only applies when an organisation’s lawful basis for processing personal data is with the individual’s consent or for the performance of a contract and the organisation is processing the data by automated means.

7. The right to object

Individuals may object to an organisation processing their personal data if the processing is for the organisation’s legitimate interest (or ‘public task’ lawful basis) unless the organisation has a compelling reason to continue processing. This right is not absolute and does not necessarily mean the data also has to be erased.

Individuals have an absolute right to object to direct marketing, so businesses should clearly include an ‘unsubscribe’ feature for newsletters and the like.

8. Rights in relation to automated decision-making and profiling

Individuals have the right not to have decisions made about them solely by automated means, unless it is necessary to perform a contract, or with the individual’s consent.

Key points

Organisations need to be able to identify and respond to these requests (usually within 1 calendar month with some exceptions). Having clear processes in place and making sure staff are appropriately trained are both key to be able to demonstrate compliance.

If you need support with policy documentation or staff training, please get in touch with one of our Experts