Individuals have the following rights:
Controllers must facilitate the exercise of them by the individual, and except in certain circumstances, respond to rights
(b) to (f) within one calendar month and make no charge, except in some very limited circumstances
Processors should be contractually obliged to assist Controllers complying with responding to individuals exercising these rights
Not all rights are absolute. For example, the right to be forgotten (ie erasure of personal data) cannot be applied where the Controller is under a legal obligation to retain that data for tax purposes. When an assessment is made – record the finding of that assessment
The Data Protection Act 2018 provides for some extensive derogations in Schedule 2.
References:
Chapter 3 of GDPR Articles 12 -23 and Recitals (58) – (73) and (91)
https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679#d1e2161-1-1
ICO guidance with links to further reading
https://ico.org.uk/global/privacy-notice/your-data-protection-rights/
Working Party Article 29 Guidelines on the Right to Portability (12/2016)
https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=611233 FAQ’s to the Portability Guideline http://ec.europa.eu/information_society/newsroom/image/document/2016- 51/wp242_annex_en_40854.pdf