Under the UK General Data Protection Regulations (the “UK GDPR”), data subjects have several rights in respect of their personal data. In this article, we provide an overview of some of the rights afforded to data subjects and highlight some of the corresponding obligations on data controllers.

Definitions

‘Personal data’ means any information relating to an identified or identifiable natural person (data relating to a corporate entity, public authority, agency or other body, is not personal data).

For a more in-depth look at what is considered to be personal data under the UK GDPR, see our article of 22 November 2024.

‘Data subject’ – A natural person to whom personal data directly or indirectly relates.

‘Controller’ – A data controller is a natural or legal person, public authority, agency or other body which determines the purposes and means of the processing of personal data.

‘Processor’ – A data processor is a natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller.

‘Processed’ – Personal data is processed when an operation is performed on it, for example when it is collected, recorded, stored, erased, or destroyed.

Data subjects’ rights under the UK GDPR

Right to be informed

Data subjects have the right to receive certain information about the data collection and data processing activities of the controller. This forms part of a controller’s obligation to ensure that personal data is processed fairly and transparently.

Right of subject access

• Data subjects may make what is known as a ‘data subject access request’. In this context, data subjects have the right to:
• Obtain confirmation from a data controller that it is processing their personal data.
• Access their personal data that has been processed (including receiving a copy on request). Generally, any copies must be provided by the controller to the data subject free of charge.
• Obtain certain information about a data controller’s processing of their personal data (for example, how long their personal data will be stored).
• Be notified of their rights to:

1. Request the correction or deletion of their personal data.
2. Restrict or object to certain types of processing.
3. Make a complaint to the Information Commissioner’s Office (ICO).

Right to rectification

The UK GDPR obliges data controllers to ensure that the personal data it holds is accurate, up-to-date, and erased or corrected without delay when it is inaccurate (meaning incorrect or misleading). As a result, data subjects have the right to correct any incorrect personal data, and complete any incomplete personal data, held by the data controller.

Right to erasure (“right to be forgotten”)

Data subjects have the right to request that any of their personal data held by the data controller is erased. This is often referred to as the right to be forgotten, and applies if:

• Their personal data is no longer necessary for the purpose the controller collected it for.
• They withdrew their consent to the controller processing their personal data
• They objected to their personal data being processed for direct marketing purposes.
• Their personal data was processed by the controller unlawfully.

Right to restrict the processing of personal data

Data subjects may restrict the controller’s processing of their personal data in the following circumstances:

• Where the data subject contests the accuracy of the data.
• Where the processing of the data was unlawful.
• Where the data subject needs the data in relation to a legal claim(s), but the controller no longer needs to process it.

Where a data subject requests that the processing of their personal data is restricted, the controller can continue to store the data but can only process it in very limited circumstances (such as with the data subject’s express consent).

Data portability right

Data subjects have the right to receive a copy of their personal data from the controller (in an appropriate format) and to subsequently store it on their own private device. Data subjects also have the right to send their personal data to another controller or request that their personal data is sent from one controller to another.

The data subject’s right of portability must not adversely affect the rights of third parties. For example, if the data subject’s data contains personal data about a third party, the controller must have a lawful reason to process that third party’s personal data.

Right of objection (direct marketing)

Data subjects have the right to object to their personal data being processed for direct marketing purposes. Importantly, this is an absolute right and, once a data subject objects, the data controller must stop processing their personal data for direct marketing purposes immediately.

Breach notification right

This is relevant where a personal data breach occurs which is likely to result in a high risk to a data subject’s rights. Whether there is a ‘high risk’ will depend on the specific circumstances. The controller must notify the data subject of the breach without undue delay – failure to do so could result in significant fines being imposed.

Data subjects have several rights in relation to their personal data, and it would be prudent for data controllers to familiarise themselves with these so they can ensure compliance with their obligations. Failure to respond appropriately when a data subject exercises their data protection rights under the UK GDPR could lead not only to reputational damage but also, in certain circumstances, financial penalties.

Should you have any queries in relation to the rights of data subjects in respect of their personal data, or in relation to data protection law generally, please do not hesitate to contact our Commercial Team who would be happy to assist.