Data Protection for Individuals

Home | For Individuals | Your Rights

Your Rights

Chapter 3 of the GDPR provides the rights which data subjects may exercise with regard to their personal data.  Below find a list of these rights together with a brief explanation to assist you in understanding what each one means and how you may exercise it.
Your right to be informed Pursuant to the transparency principle, a controller is obliged to inform you if it is using your personal data. It should provide detailed information on the following:
  • Why it is using your data.
  • What type/types of data it is using.
  • How long your data will be kept.
  • If it is going to transfer your data to third parties, the names or categories of recipients, and the reasons for the transfer.
  • Information if it is going to transfer the data to third countries, including the country involved and what will be done with the data.
  • Your data protection rights.
  • Where the data is from.
  • If it is using the data in profiling (a type of automated processing where your personal data is used to analyse or predict things such as your performance at work, economic situation, health, personal preferences and interests).
  • How to contact the controller.
  • Your right to lodge a complaint with the IDPC.
The controller should give you this information at the time it collects your personal data. If it obtains your data from another source, it should provide such information within one month and may do in the form of a data protection notice.
Your right of access to your personal data undergoing processing You have the right to ask a controller for a confirmation as to whether or not they are using, storing or otherwise processing your personal data. The controller is required to provide you with a copy of your personal data together with the other information set out under Article 15(1) GDPR. Naturally, when acceding to your subject access request, the controller shall not adversely affect the rights and freedoms of third parties. If you are not satisfied with the information provided by the controller or in the event that the controller does not provide you with a response within one month from your request, you may lodge a complaint with the IDPC, which will be investigated accordingly.
Your right to get your personal data rectified As a data subject you have the right to obtain from a controller the rectification of inaccurate personal data.  To exercise your right you should inform the controller that you are challenging the accuracy of your data and want it corrected. You should:
  • State clearly what you believe is inaccurate or incomplete;
  • Explain how the controller should correct it; and
  • Where available, provide evidence of the inaccuracies.
It is recommended that you make your request in writing to the controller wherein you explain your concern and give the necessary evidence to support your claim to have your data corrected.  In the event that you would like to challenge the controller’s response or lack of action, you need to provide us with clear proof of your engagement with the controller so that we will be able to investigate your complaint.
Your right to get our personal data deleted The right to get your personal data erased, also known as the ‘right to be forgotten' (EDPB guideline available here), entitles you to request a controller that holds data about you to delete it. This applies when one of the following grounds apply:
  • The controller no longer needs your data for the original reason they collected or used it for;
  • You initially consented to the organisation using your data, but have now withdrawn your consent;
  • You have objected to the use of your data, and your interests outweigh those of the organisation using it;
  • You have objected to the use of your data for direct marketing purposes;
  • You have objected to the use of your data, and your interests outweigh those of the organisation using it;
  • You have objected to the use of your data for direct marketing purposes;
  • The organisation has a legal obligation to erase your data.
  • The data was collected from you as a child for an online service.
The controller can refuse to erase your data in the following circumstances:
  • When keeping your data is necessary for reasons of freedom of expression and information (this includes journalism and academic, artistic and literary purposes).
  • When the organisation is legally obliged to keep hold of your data such as to comply with financial or other regulations.                                   
  • When the organisation is carrying out a task in the public interest or when exercising their official authority.
  • When keeping your data is necessary for establishing, exercising or defending legal claims.
  • When erasing your data would prejudice scientific or historical research, or archiving that is in the public interest.
Your right to data portability When the processing of your personal data is based on your consent or on the basis of a contract, you have a right to receive the personal data in a structured, commonly used and machine-readable format and the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided. Click here to access the guidelines adopted by the EDPB on the right to data portability.
Your right to object to the processing of your personal data You have the right to object to a controller processing personal data at any time.  This means that you can stop the controller from using your personal data.  Having said that, this right applies in specific circumstances and, in particular, where your personal data is processed:
  • For a task in the public interest;
  • For the exercise of official authority;
  • For the controller’s legitimate interests;
  • For scientific, historical or statistical purposes; or
  • For direct marketing purposes.
Your right in relation to the decisions taken solely by automated means You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.
  • This right does not apply where the decision:
  • Is necessary for entering into, or performance of, a contract between the data subject and the controller;
  • Is authorised by Union or Members State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or
  • Is based on your explicit consent.
You may click here to access the Guidelines issued by the EDPB on this right.
Your right to lodge a complaint with the IDPC If you consider that the processing of personal data relating to you infringes the GDPR, you have the right to lodge a complaint with the IDPC against the controller involved and the case will be investigated accordingly.

It’s important to know that all these rights can be exercised directly with the data controller or with the Data Protection Officer (DPO) when such person is appointed. Moreover the controller shall provide a response within one month from receipt of a communication, according to Article 12 GDPR. In the event that the controller fails to respond or if otherwise you are not satisfied with the reply, you may lodge a complaint through our online form.

The controller could extend the time to respond if the request is complex or when receiving several requests from the individual. In such cases, the controller must still reply within one month of receiving their request and explain why the extension is necessary.

Where the controller has reasonable doubts concerning the identity of the data subject exercising his or her rights under the GDPR, it may request the provision of additonal information necessary to confirm the identity of the data subject.