Further Reading: Rights and freedoms of the individual

Individuals have the following rights:

  1. Right to be informed
  2. Right to access (SAR’s)
  3. Right to rectify personal data
  4. Right to be forgotten
  5. Right to data portability
  6. Right to challenge profiling and automated decisions
  7. Right to object to direct marketing
  8. Right to make a complaint and for compensation for material and non-material loss

Controllers must facilitate the exercise of them by the individual, and except in certain circumstances, respond to rights

(b) to (f) within one calendar month and make no charge, except in some very limited circumstances

Processors should be contractually obliged to assist Controllers complying with responding to individuals exercising these rights

Not all rights are absolute. For example, the right to be forgotten (ie erasure of personal data) cannot be applied where the Controller is under a legal obligation to retain that data for tax purposes. When an assessment is made – record the finding of that assessment

The Data Protection Act 2018 provides for some extensive derogations in Schedule 2.


Chapter 3 of GDPR Articles 12 -23 and Recitals (58) – (73) and (91)

ICO guidance with links to further reading

Working Party Article 29 Guidelines on the Right to Portability (12/2016)
https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=611233 FAQ’s to the Portability Guideline http://ec.europa.eu/information_society/newsroom/image/document/2016- 51/wp242_annex_en_40854.pdf