Data subject rights over personal data

The GDPR establishes new requirements on organisations that collect, use, and share data about EU citizens.

Organisations processing data of EU citizens must adhere to the new data privacy and security measures expressed in the GDPR, regardless of whether the organisation is located within the EU or not.

Among other duties, organisations must provide users with the ability to exercise the following rights over their data:

Transparency: Organisations are required to inform individuals about the processing of their personal data. The notice given to individuals (usually through a privacy policy) must be easily accessible and concise and must meet the specified content requirements found in Articles 12-14 GDPR.

The right of Access: Following a request, organisations must provide information about the purposes of the processing and the categories of the data processed, among other relevant information (Article 15). Organisations must also provide a copy of the data subject’s personal data in a structured, commonly used and machine-readable format, If asked to do so.

The right to Rectification, Erasure and Restriction: Organisations must allow data subjects the ability to correct inaccuracies in their personal data, withdraw consent and erase their data, and restrict the processing of their data if the accuracy of the data is challenged (Articles 16-20).

The right to Object to Profiling and Automated Decision-Making: A data subject may object to the processing of their personal data based on profiling or automated-decision making (Articles 21-22). In such a case, organisations must cease any further processing, unless the company can demonstrate legitimate grounds for processing that override the interests, rights and freedoms of the data subject.

Leave a Comment

Your email address will not be published.