One of the key objectives of the new European General Data Protection Regulation (GDPR) is to ensure the privacy and protection of the personal data of data subjects. To help data subjects in being assured of the protection and privacy of their personal data, GDPR empowers data subjects with certain rights. Through these rights, data subjects can make a specific request and be assured that personal data is not being misused for purposes other than the legitimate purpose for which it was originally provided. Let us understand the different rights requests that a data subject can make as a customer, as an employee, and as personnel of a supplier.
1) Right to information
This right provides the data subject with the ability to ask a company for information about what personal data (about him or her) is being processed and the rationale for such processing. For example, a customer may ask for the list of processors with whom his or her personal data is shared.
2) Right to access
This right provides the data subject with the ability to get access to his or her personal data that is being processed. This request provides the right for data subjects to see or view their own personal data, as well as to request copies of the personal data.
3) Right to rectification
This right provides the data subject with the ability to ask for modifications to his or her personal data in case the data subject believes that this personal data is not up to date or accurate.
4) Right to withdraw consent
This right provides the data subject with the ability to withdraw a previously given consent for processing of their personal data for a purpose. The request would then require the company to stop the processing of the personal data that was based on the consent provided earlier.
5) Right to object
This right provides the data subject with the ability to object to the processing of their personal data. Normally, this would be the same as the right to withdraw consent, if consent was appropriately requested and no processing other than legitimate purposes is being conducted. However, a specific scenario would be when a customer asks that his or her personal data should not be processed for certain purposes while a legal dispute is ongoing in court.
6) Right to object to automated processing
This right provides the data subject with the ability to object to a decision based on automated processing. Using this right, a customer may ask for his or her request (for instance, a loan request) to be reviewed manually, because he or she believes that automated processing of his or her loan may not consider the unique situation of the customer.
7) Right to be forgotten
Also known as right to erasure, this right provides the data subject with the ability to ask for the deletion of their data. This will generally apply to situations where a customer relationship has ended. It is important to note that this is not an absolute right, and depends on your retention schedule and retention period in line with other applicable laws.
8) Right for data portability
This right provides the data subject with the ability to ask for transfer of his or her personal data. As part of such request, the data subject may ask for his or her personal data to be provided back (to him or her) or transferred to another controller. When doing so, the personal data must be provided or transferred in a machine-readable electronic format.
Who can make a rights request, and how?
A rights request can be made by an individual or an individual’s legal representative. Such individual could be a customer, an employee, or personnel of a supplier working for the company. Also, such request should usually be made in writing. To the Data Protection Officer at email@example.com
Data subject rights form the core of GDPR. It must be noted that as a law enforcement body the Royal Gibraltar Police may be exempt from some of the above obligations. This can be checked with our Data Protection Officer on the email address above