The General Data Protection Regulation (GDPR) provides eight fundamental rights to individuals who live in European Union (EU) member states. These individuals are known as data subjects.
The GDPR, which went into effect on May 25, 2018, requires any company that operates within the EU to comply with strict data protection laws. The GDPR also gives data subjects more control over their personal information.
These are the eight GDPR rights of individuals:
- The right to be informed
- The right of access
- The right to rectification (correction)
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- The right to not be subject to automated decision making
The right to be informed
Under the GDPR, individuals have the right to be informed about how companies collect and use their personal data, how long they plan to keep that data, and who they’ll share it with. Companies that collect data have to provide certain information to the data subjects, including the identities and contact details of the data controllers and data protection officers (if DPOs were appointed).
The right of access
Individuals have the right to know exactly what information companies have collected, how they’re storing and processing that data, and what they’re going to do with it.
The right to rectification (correction)
Data subjects have the right to have incomplete data completed and incorrect data corrected.
The right to erasure
Data subjects have the right to have personal data permanently deleted. This is also known as the “right to be forgotten.” In this case, companies can’t argue that their legitimate interests in processing users’ data outweigh the individuals’ rights to have it erased. However, this right doesn’t apply if the processing of data that’s subject to an erasure request is necessary to comply with a company’s legal obligations.
The right to restrict processing
If data subjects can’t require that data controllers erase their personal information they can restrict the ability of data controllers to process that data, under certain circumstances as outlined by the ICO (Information Commissioner’s Office).
The right to data portability
Individuals have the right to obtain and reuse their personal data for their own purposes across different services. Data subjects can request that data controllers send their personal data files electronically to third parties. If technically feasible, companies must provide the data in commonly used, machine-readable formats.
The right to object
Data subjects have the right to object to the processing of their personal data in certain circumstances. For example, if an organization uses personal data for direct marketing, scientific and historical research, or to perform a task in the public interest. However, companies may still process the data to establish or defend legal claims, or if they can demonstrate there are legitimate grounds that override individuals’ interests and rights.
The right to not be subject to automated decision making
Individuals have the right to demand human intervention, rather than having important decisions made by algorithms. Companies are required to inform people that they will be subject to algorithmic decision-making and let them know that they can opt out of it.