< Return to GDPR Basics

Under GDPR, Individuals Have Strong Rights

an image of a woman with GDPR rights

The EU and UK GDPR grant individuals a robust and comprehensive set of rights over their personal data. These rights are designed to enhance transparency, empower individuals, and ensure strong protection of personal information throughout its lifecycle.

By understanding and exercising these rights, individuals can take proactive control of their data, while organisations can demonstrate accountability, build public trust, and fulfil their legal obligations under the regulation.

Below is an expanded guide to these rights and their broader significance in today’s data-driven environment.

The Right to Be Informed

Transparency lies at the heart of both the EU and UK GDPR. The right to be informed ensures that individuals understand how their personal data is collected, used, stored, and shared.

Organisations must provide clear, concise, and easily accessible privacy notices, which should outline:

  • The types of personal data being collected
  • The lawful basis and purpose of its collection and processing
  • How long the data will be retained
  • The means of data storage and any safeguards in place
  • Any third parties involved in processing, including data transfers outside the UK or EU
  • The rights available to individuals concerning their data

These notices must be presented in a way that is understandable to the intended audience, using plain language and accessible formats. This enables individuals to make informed choices about how their personal information is handled.

The Right of Access

Individuals have the right to access their personal data and obtain key information about how it is processed. This includes:

  • A copy of the personal data held about them
  • Information about the purposes of processing
  • Details of the categories of personal data processed
  • The recipients or categories of recipients with whom the data has been shared
  • Retention periods or criteria used to determine them
  • Information about the source of the data if not provided by the individual

Organisations must respond to Subject Access Requests (SARs) within one month of receipt. In cases of complexity or high volume, this deadline may be extended by up to two further months, but the requester must be informed. The data should be provided free of charge unless the request is manifestly unfounded or excessive.

The Right to Rectification

The right to rectification allows individuals to request the correction of inaccurate personal data or the completion of incomplete data. This is essential for ensuring the integrity and reliability of information held.

Organisations are required to:

  • Investigate and assess any claims of inaccuracy or incompleteness
  • Make necessary updates promptly
  • Notify the individual once the data has been rectified
  • Inform any third parties with whom the data has been shared, where appropriate

Maintaining accurate data minimises the risk of harm to individuals and enhances the effectiveness of data-driven decision-making.

The Right to Erasure

Also referred to as “The Right to Be Forgotten,” this right gives individuals the ability to request the deletion of their personal data under specific circumstances, including:

  • The data is no longer necessary for the purpose it was collected
  • The individual withdraws consent where consent was the legal basis
  • The data was processed unlawfully
  • The data must be erased to comply with a legal obligation
  • The individual objects to processing and there are no overriding legitimate grounds

However, this right is not absolute. It does not apply if processing is necessary for freedom of expression, legal claims, public health, archiving in the public interest, or compliance with a legal obligation. Organisations must assess each request on a case-by-case basis.

The Right to Restrict Processing

This right allows individuals to request a temporary halt to the processing of their personal data in certain situations:

  • When the accuracy of the data is contested
  • When processing is unlawful but the individual opposes erasure
  • When the organisation no longer needs the data, but the individual requires it for legal claims
  • When the individual has objected to processing and verification of legitimate grounds is pending

During restriction, data may be stored but must not be processed unless with the individual’s consent or for legal reasons. Organisations should also inform any recipients of the data about the restriction unless it is impossible or involves disproportionate effort.

The Right to Data Portability

This right empowers individuals to obtain and reuse their personal data for their own purposes across different services. Specifically, it allows them to:

  • Receive their data in a structured, commonly used, machine-readable format (such as CSV or JSON)
  • Transmit their data directly from one controller to another, where technically feasible

This applies only to data:

  • Provided by the individual
  • Processed based on consent or contract
  • Processed by automated means

Data portability enhances individual control and promotes interoperability and innovation within digital markets.

The Right to Object

Individuals have the right to object to the processing of their personal data in the following scenarios:

  • Processing based on legitimate interests or tasks in the public interest
  • Direct marketing, including profiling related to marketing
  • Processing for scientific, historical research or statistical purposes

When an objection is raised, processing must stop unless the organisation can demonstrate compelling legitimate grounds that override the individual’s rights and interests. For direct marketing, the right to object is absolute, and organisations must comply without exception.

Automated decisions can significantly impact individuals, especially when no human is involved in the decision-making process. Under GDPR, individuals are protected by specific rights when such processing results in legal or similarly significant effects.

These include:

  • The right not to be subject to solely automated decisions
  • The right to obtain human intervention and review
  • The right to express their point of view
  • The right to contest the decision

Such processing must be based on consent, authorised by law, or necessary for a contract. These safeguards are especially critical in high-impact areas such as financial services, employment, and insurance.

Conclusion

The individual rights enshrined in the EU and UK GDPR empower people to take an active role in the management of their personal data. For organisations, respecting and enabling these rights is not merely a compliance task but a vital element of ethical data stewardship.

Embracing transparency, accuracy, and accountability creates opportunities to build stronger relationships with customers and stakeholders. Organisations that embed these principles into their operations are better equipped to navigate the evolving data landscape, demonstrate compliance, and maintain public trust in an increasingly digital world.

FAQs

When can an organisation refuse a request to delete personal data?

Organisations can refuse an erasure request if they need to retain the data for specific reasons such as compliance with a legal obligation, defence of legal claims, public health purposes, or for exercising the right to freedom of expression. Each request must be assessed individually, with reasons clearly communicated to the data subject.

How should a business respond to a Subject Access Request (SAR)?

Upon receiving a SAR, a business must verify the requester’s identity, gather the relevant personal data, and respond within one calendar month. The response should include a copy of the data, the purposes of processing, categories of data involved, recipients, retention periods, and information about the individual’s rights.

What’s the difference between the right to restriction and the right to erasure?

The right to erasure allows individuals to request deletion of their data altogether, while the right to restriction allows individuals to stop further processing without deleting the data — typically used while a dispute is being resolved or legal claims are pending.

Does GDPR apply to data stored in backup systems?

Yes. GDPR applies to all personal data, including that stored in backup systems. However, organisations are allowed some flexibility in how they fulfil rights like erasure or rectification within backups, provided they have robust access controls and processes to prevent misuse.

Can personal data be transferred outside the UK or EU under GDPR?

Yes, but only if appropriate safeguards are in place. These can include adequacy decisions (where the destination country is deemed to have adequate protection), standard contractual clauses, binding corporate rules, or explicit consent from the individual.

Further Reading

To learn more about GDPR rights, take a look at the UK ICO’s GDPR Rights guidelines here.

Iseo Blue Limited - UK Registered Company Number : 10215427

Privacy Policy  

Registered office address: Belmont Suite Paragon Business Park, Chorley New Road, Bolton, England, United Kingdom, BL6 6HG