All organisations have to honour individuals’ rights as data subjects

Here is a useful re-cap of a data subject’s rights in relation to the organisations that process their data (and this includes you!).

Right to be Informed

This is the part of the law that enshrines your right to receive a Privacy Notice, or some other piece of written information that tells you how and why your personal data is being processed.


Right to Access

At your request, a Controller must tell you about their processing in detail and provide a copy of all the personal data they hold about you. There are very few reasons a company can refuse to fulfil this, and whereas before May 2018 a small fee could be charged, now access rights are free.

Right to Object

Anytime an organisation uses your data for their legitimate interests you have the right to challenge their justifications and require them to demonstrate that their interests in processing data should override your interests, rights and freedoms – that’s a very high threshold.

Right to Erasure

This applies when you withdraw consent to processing.  It also applies when the processing is for a legitimate interest, you object to the processing, and the Controller can’t demonstrate that their interests outweigh yours.  It also applies to ‘automated processing’ – such as services on the internet.

Right to Rectify

If anything an organisation holds about you is incorrect it is your right to rectify it for free. This might not seem like much, but if you imagine how airlines charge to alter errors in booking details, or how a mistake in financial records could affect your credit score – this could have a major impact on data subject.

Right to Portability

The fact that an organisation holds your data shouldn’t be a barrier to you moving your custom somewhere else, so Portability gives you the right to order some organisations (ones that process your information by automated means, i.e. online services) to provide your data in a transportable format to another service provider.

Right to Restrict

If the accuracy of personal data is disputed, or it has been unlawfully processed (e.g. for a purpose that was not disclosed), or whilst a objection to processing is dealt with, individuals can require the Controller to restrict their processing activities to storage only.

The Data Subject Rights all have to be fulfilled within a month of the request.

If you become aware of a request to exercise these rights: make sure you notify someone who has responsibility for data protection within our organisation without delay.