Here you will find information about what are the GDPR rights and how you can use them to claim control over your personal data and file requests.
What are the GDPR rights (aka data protection rights)
The fundamental right to data protection acknowledges you and other individuals the power and control over your own personal data. To such extent, the European data protection framework (GDPR) grants you several rights that you are entitled to request to any entity or organisation that holds your personal data.
These are the following:
Right of information or transparency
The right of information or transparency means that the entity controlling your data must provide you with information about how your data is processed. That data most of the times must be presented to you prior to the moment your data is collected, and it should be in a concise, transparent, intelligible and easily accessible form, using clear and plain language. Small print, hidden clauses in long and confusing contracts or legal notices are not allowed.
The information that companies are obliged to provide you and that you can request at any time is the following:
- the identity and the contact details of the controller and, where applicable, of the controller’s representative;
- the contact details of the data protection officer, where applicable;
- the purposes of the processing for which the personal data are intended as well as the legal basis for the processing (consent, legitimate interest, vital interest…);
- the recipients of the personal data and, where the controller intends to transfer your personal data to a non-European country or organisation, information about an adequacy decision or suitable safeguards.
- the period for which the personal data will be stored;
- the existence of the other gdpr rights, such as rectification, erasure, restriction, portability or your right to lodge a complaint with a supervisory authority;
- from which source your personal data were collected, where other than you;
- your right to withdraw consent at any time, where applicable;
- the existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing.
- the intention to process your personal data for a different purpose.
Since the information is quite comprehensive, it has been accepted that it can be provided in different layers. However, the European data protection Regulation does not contain any provision concerning which information should be provided on the first layer. Therefore, this question needs to be addressed by EU Member States.
For instance, the Spanish Data Protection Act (LOPDGDD) requires controllers the provision in the first layer of at least, the following information:
- the identity of the controller and of the representative, where applicable;
- the purpose of the processing;
- the possibility to exercise your gdpr rights;
- where applicable, the existence of automated decision-making and the right to objection;
Right of access
The right of access allows you to request from the controller entity confirmation as to whether or not your personal data are being processed, and, where that is the case, to obtain a copy of that personal data. Furthermore, you can also request the following information:
- the purposes of the processing;
- the categories of personal data concerned (health, financial, professional…);
- the recipients or categories of recipient to whom your personal data have been or will be disclosed, in particular recipients in non-European countries or international organisations;
- the envisaged period for which the personal data will be stored;
- the existence of the right of rectification, erasure, restriction or objection and the right to lodge a complaint with a supervisory authority;
- where the personal data are not collected directly from you, any available information as to their source;
- the existence of automated decision-making, including profiling, information about the logic involved, the significance and the envisaged consequences.
Right of rectification
The right to rectification empowers you to request from the controller rectification of any inaccurate personal data concerning you, as well as completion of incomplete data.
For this purpose, you need to inform about what personal data is inaccurate and what correction should be made. Furthermore, where necessary you may be requested to attach the appropriate documentation to demonstrate the validity of the amendment.
Finally, you are also entitled to request rectification or completion of any of your personal data which the controller has communicated to a recipient.
Right to erasure (right to be forgotten)
The right to erasure, or right to be forgotten, entitles you to request the erasure of your personal data from the controller’s systems provided that one of the following situations is met:
- your personal data are no longer necessary in relation to the purposes for which the controller entity or organisation collected or processed them;
- the processing is based on consent and you have withdrawn consent, unless the company has other legal ground for the processing;
- you objected to the processing;
- your personal data have been unlawfully processed (in breach of a law or with no legal grounds);
- the personal data needs to be erased for compliance with a statutory obligation;
- the personal data were collected from a child below the age of 16 without the authorisation or consent by the holder of parental responsibility over the child.
This right may also be exercised against search engines, which will carry it out by deindexing the information so Internet users are not able to find you by searching your name.
Once the right to erasure has been requested, the controller entity or organisation should proceed to erase any personal data it holds which concern you, unless there is a legal obligation to retain that data.
There are several scenarios were the law requires controllers to hold your personal data and not erase it. There are the following:
- for exercising the right of freedom of expression and information;
- for compliance with a legal obligation or for the performance of a public task;
- for reasons of public interest in the area of public health;
- for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in so far as erasure would be likely to render impossible or seriously impair the achievement of the objectives of that processing; or
- for the establishment, exercise or defence of legal claims.
Finally, you are also entitled to request that any of your personal data which the controller has communicated to a recipient is also erased.
Right to restriction of processing
This rights puts a stop to the processing of the personal data and it makes sense where you desire that the controller stops the processing but retains your data for some reason. The situations where you can exercise this right are limited and are the following:
- You contested the accuracy of the personal data and the controller needs time to verify the accuracy of that data;
- The processing is unlawful and whereas your personal data should be erased you request instead the restriction of their use;
- Your personal data is no longer necessary for the purposes of the processing, but you require them for the establishment, exercise or defence of legal claims;
- You have objected to processing but the controller is verifying the existence of a compelling legitimate ground which overrides your right.
Finally, you are also entitled to request that the controller communicates the restriction of the processing of your personal data to any recipients to whom it has disclosed your data.
Right to data portability
One of the new GDPR rights that was introduced by the European data protection framework is the right to data portability. This right allow you to request:
- delivery of the personal data concerning you which you have previously provided, or
- transmission of your personal data directly to another controller, where technically feasible.
When exercising this right, the information must be transmitted in a structured, commonly used and machine-readable format.
You can request this right only where:
- the processing is based on consent or on a contract, and
- the processing is carried out by automated means.
Right to object
The right to object is the GDPR right which is most suitable to stop marketing communications to your phone or mail address. There are however other suitable use cases for this right. The right to object enables you to put a stop to the processing of your personal data where:
- the controller organisation is processing your personal data because of a public interest or legitimate interest ground and you are in a position to claim a particular situation which justifies stopping the processing;
- the controller uses your personal data for direct marketing purposes; or
- your personal data are processed for scientific or historical research purposes or statistical purposes and your particular situation justifies objecting to the processing of your data, unless there are reasons of public interest to process your data.
Right to not be subject of individualised decisions
The last of the GDPR rights that the Regulation grants you is the right to not be subject of decisions based solely on automated processing which produces you legal effects or affects you similarly.
And the same applies to the processing of your personal data with the purpose of profiling, which covers those situations where aspects of you are analysed in order to predict your behaviour.
Notwithstanding the above, the controller entity or organisation may still take automated decisions where:
- it is necessary for entering into, or performance of, a contract between you and the entity; or
- you have given explicit consent.
In both cases, the GDPR requires the organisation to implement suitable measures to safeguard your rights and freedoms and legitimate interests and, at least the right to obtain human intervention, to express your point of view and to contest the decision.
Automated individualised decisions or profiling may also be taken lawfully where it is authorised by Union or Member State law, provided these regulations lay down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests.
Finally, companies which wish to take automated individualised decisions based on special categories of personal data (gdpr sensitive personal data) need to ask for your explicit consent or to have a public interest ground and to adopt suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests.
GDPR rights FAQ
You may address your request directly to the data controller, which is the organisation or individual who decides the purpose of the processing and usually will be the same entity which initially collects your personal data.
If the entity is established out of the EU and it does not have an establishment on the EU territory, then chances are it will have a data protection representantive appointed. In that case, you may also address your request to the representative.
Finally, depending on the risks to your rights and freedoms presented by the processing, the entity or organisation may need to appoint a data protection officer (DPO). If such is the case, then you may also send your petition to the DPO.
You may submit your request in written, orally or by electronic-means, and you have the right to receive a response in any of those means. However, there might be some restrictions depending on the complexity of your request and the means that are available to the controlling entity.
For instance, the Spanish Data Protection Act (LOPDGDD) deems excessive the access request by means other than those made available by the controller if it entails a disproportionate cost. If that is the case, you will bear the costs and the term to respond your request will be extended as necessary, without undue delays.
For your request to be handled you need to provide means of identification to the entity. This means should vary depending on the controller entity and the context of the processing.
For instance, if the controller only has your name and email address because you filled a subscription to a newsletter, then for a successful identification it would probably be enough to file the request through the same email address you previously registered.
On the other hand, bear in mind that you will also need to comply with the specific requirements set out by the different gdpr rights.
Not at all. Entities or organisations must facilitate the exercise of your gdpr rights free of charge, unless your request is considered manifestly unfounded or excessive. In that case, the controller may charge you with a reasonable fee which will cover the administrative costs of providing the information or communication or taking the action requested.
The GDPR requires the company to respond your request without undue delay and in any event within one month of receipt of the request. However, that period may be extended by the controller by two further months where necessary because of the complexity and number of the requests.
If such extension occurs, the controller is obliged to inform you within one month of receipt of the request, together with the reasons for the delay.
Yes, if the company considers that your request is manifestly unfounded or excessive, in particular because of their repetitive character. If that happens, the company is entitled to:
- charge you a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or
- refuse to act on your request.
In the event the controller decides to refuse to act on your request, they are obliged to inform you without delay and at the latest within one month of receipt of your request of the reasons for not taking action and on the possibility that you have of lodging a complaint with a supervisory authority and/or seeking a judicial remedy.