All data subjects have specified rights with respect to the use of their personal data held by a controller or processor. These rights are:
- The right to be informed – your data subjects should be clear about what, why and in what way personal data will be processed, usually provided by privacy statements
- The right of access – your data subjects have the right to learn what data is held on then, by whom and why
- The right to rectification – data subjects can request that personal data is corrected
- The right of erasure – data subjects can request that all personal data is erased
- The right to restrict processing – data subjects can ask organisations to stop processing their personal data
- The right to data portability – data subjects can ask for their data in a machine readable format or to have it sent to another organisation
- The right to object – data subjects can object to organisations processing their personal data
- Automated decision making and profiling – data subjects can ask for automated decision making to be reviewed by a human.
In most cases you only have 30 days in which to respond to these rights, so any request should be escalated to the responsible person in your organisation swiftly.
It should be noted that whilst a data subject has these rights, there are circumstances where your organisation may not enforce them. All data subject requests should be assessed on their own merits.