In today’s digital world, almost every interaction you have with an organisation will involve the sharing of your personal data.
This can be done directly or through cookies and other online tracking tools. For example, every time you visit a website, or use social media a little piece of code will be placed on your browser, to help organisations understand more about you and improve the user experience for your future visits.
However, the GDPR recognises that some individuals may not like this and may want more control over who can access of their data to help them ensure it is being used properly and legally.
Below we will look at some of the key areas where individuals have gained more rights over the use of their personal information through the GDPR.
Your Rights under GDPR
The right to be forgotten.
Typically referred to as ‘Privacy Information’. Under this category organisations must inform you when they are using your personal data and the following must also be made clear:
- Why your data is being collected
- What type of data is being collected
- How long the organisation needs to retain your data
- Whether the data will be shared with third parties and who these third parties are
- Whether your data is going to being shared overseas, with which country and why
- What your information rights areHow your data is being collected and whether it is being used for profiling
- Who you should direct questions to within the organisation.
Any organisation collecting the above information should notify you of this at the point in which they collect your data. Where data is collected from another source, the organisation should provide you with a privacy notice within one month of the data being collected. This is called your ‘right to be informed’.
The ICO has stated there are some exceptions to the above, which include:
- when an individual has already received the privacy information and nothing has changed
- when providing such information would require “disproportionate effort”, or
- when informing you of the privacy information would make it impossible to use your data or seriously damage the reasons for its use.
Your right to access information
You can now find out what personal information is being used or stored by an organisation by making a ‘subject access request’ either verbally or in writing.When making a subject access request, it is recommended that you include:
- Your name
- Your contact details
- Any account numbers, etc
- Any further information that will help identify what you want.
You should keep a copy of your request, along with proof of postage or delivery.
An organisation has the right to refuse your subject access request if the data you seek includes information about another individual. However, this is not true if the other individual has consented to the disclosure of their information or it is reasonable to provide you with this information without the other individual’s consent.
Your right to rectify the information being held
Individuals have the right to challenge the accuracy of the personal information that is being collected and held by an organisation. If your data is incomplete, you can ask for the organisation to complete it by adding more details or you can ask for it to be deleted.
To exercise your ‘right to rectification’ you should:
- Explain what data you believe is inaccurate
- Explain how you want the the organisation to correct it
- Provide evidence, where appropriate
Such requests can be made verbally or in writing. It is recommended that if you make a verbal request that you follow this up in writing so that you have evidence of the request.
When asked to correct data, organisations should take reasonable steps to investigate whether the data is accurate, and be able to demonstrate this. The organisation should then advise you on whether it has corrected or deleted the data, or explain why it believes the data is accurate.
Where the organisation has shared the data with third parties, it is responsible for telling the third parties that the data has been corrected or completed and inform you of who those third parties are.
Your right to erasing data
When an organisation holds your personal information you can ask for that data to be deleted. Such requests can be made verbally or in writing. As above, verbal requests should be followed up in writing as a form of evidence.
The right to erasure applies in the following circumstances:
- When you are confident that the organisation no longer needs your data
- When you previously consented to your data being used but now wish to withdraw your consent
- When you objected to your data being help and your interests outweigh the organisations
- When your data has been collected unlawfully
- When their is a legal obligation for the organisation to erase your data
- When data was collected from a child and the correct consent was not obtained.
- However, organisations can refuse to erase your data in the following circumstances:
- When holding the data is necessary for reasons of freedom of expression and information
- When legally obliged to to do so
- When your data is associated with public health
- When your data is involved with legal claims
- When erasure of such data would prejudice scientific or historical research, or archiving that is in the public interest.
When an organisation decides it does not need to erase your data, you must be notified of this decision and they must also advise why this decision was made.Where the organisation has shared the data with third parties, it is responsible for telling the third parties that the data has been deleted and inform you of who those third parties are.
Your right to restrict the use of data
You now have the right to limit the ways in which an organisation uses your personal data and you can also stop an organisation deleting your data.
You can ask an organisation to limit the use of your data when they are processing a challenge you have made regarding either the accuracy or use of your data. You can also request to limit the use of your data if the data was processed unlawfully or you want the organisation to retain, but not use, the data for legal claims.
Once a request to restrict the use of data has been made the organisation should either:
- move the data to another system
- make the data unavailable to system users
- temporarily remove it from its locations. For example a website, if it has been published.
Following such requests, organisations should not use the data unless it it is doing so for legal claims, to protect another person’s rights, public interest or you have give it consent to do so.
Once your request has been investigated, organisations may decide to continue using your data. If this happens, the organisation must inform you before the restriction is lifted. Also, if the organisation has shared the data with third parties, it is responsible for telling the third parties that the data has been restricted and inform you of who those third parties are.
Your right to data portability
You can ask an organisation to transfer your data to other organisations. Where appropriate to do so, the data should be provided in a format which is accessible and machine-readable, for example as a csv file.
This right only applies to data that is held electronically and may include your user name, search history, traffic and location data or data processed by connected objects such as smart meters.
You can make a data portability request to any organisation that relies on your consent to use your personal data or uses your data as part of a contract you have with them.
Please note: depending on what you have requested, the organisation may require your to identify yourself before sending the data on.
Your right to objecting to the use of your data
You can now object to your personal data being used and you also have an absolute right to object to an organisation using your data for direct marketing. In order to object you must first establish why the organisation is processing your data. Reasons that you can object to include:
- when the data is being collected for public interest
- when the data is being collected for its legitimate interests
- when the data is being collected for scientific or historical research, or statistical purposes, or
- when the data is being collected for direct marketing.
If your data fits the above, and you have the right to object to its use, you should inform the organisation directly of your objection. Requests can be made verbally or in writing, but it is recommended that you follow up any verbal request in writing as evidence.If your objection is successful, the organisation must stop using your personal data for that specified reason. However, it is worth noting that the organisation could still use your data for other purposes or refuse to comply with your objection if it can prove its own reasons for continuing to process your data are stronger than your objection or it is for a legal claim.
Your rights when it comes to automated individual decision-making and profiling
When decisions are made about you without human involvement you now have a right to prevent this automated processing. There are two types of automated processing covered by this right, the first is automated and includes things like pre-programmed algorithms and criteria. The second is profiling where your data is used to analyse or predict things like your personal preferences and interests.
Profiling information is usually gathered from sources such as internet searches, social networks and mobile phones. It can be particularly useful for organisations or teams that are involved in education, financial services and marketing.Under this category, you have the right to:
- find out why a decision was made about you
- find out any consequences of such a decision
- object to profiling for things like direct marketing
- not be subject to a decision that is based solely on automated processing if the decision affects your legal rights or similar
Organisations should not be making decisions which are based solely on automated processing if the decision affects your legal rights, unless the decision is necessary for the purpose of creating a contract, is authorised by law or is based on your explicit consent. Therefore, in the circumstances described, you have the right to ask an organisation to not subject you to automated processing and, where this has happened, to explain the decision and advise how it will affect you.
A request can be verbal or in writing.
How long does an organisation have to respond?
Organisations are permitted one month to respond to information requests. However, organisations can take longer to provide the information, as long as they let you know the reason for needing more time within one month of the data request being raised. For more information please refer to the ICO’s guidelines on time limits.
How do ‘manifestly unfounded or excessive’ requests affect you?
Where requests made under any of the above categories can be categorised as ‘manifestly unfounded or excessive’, organisation have the right to refuse to comply with your request or change an administrative fee before proceeding.In either case the organisation is required to inform you of its decision and to justify this.
How to raise a complaint?
If you are not satisfied by the way an organisation has handled your request, you should initially raise a complaint with the organisation directly. If this does not bring you the desired resolution you can also complain directly to the ICO.
In some circumstances you may prefer to enforce your rights through the courts. if this is the case, please seek independent legal advice before doing so.