Individuals Rights

When you (the 'data subject') are asked to provide any information about yourself (i.e. personal data) to any organisation, there is a legal requirement for that organisation to make it clear who they are and what exactly is going to happen to your data. An organisation is required to supply this ‘fair processing information’ to you in the form of a privacy policy or a data collection statement. You can find out more about how organisations should handle your information fairly by  reading our guidance on the ‘information to be given’ aspect of the Law. The higher standards the Law requires in respect of transparency are a fundamental part of the legislative framework that came into force in 2018 and you are encouraged to understand your rights and demand that they are respected.

If your data was collected prior to implementation of the Law (i.e. prior to 25 May 2018), the processing is subject to what is known as ‘transitional relief'. It is expected that controllers review the information provided to individuals so you may find that companies that have your data get in touch with you to update this information. This is certainly good practice but not necessarily a legal requirement. Each controller will need to review its own position in this respect.

The Law enhances the already existing right of access to your personal data. This entitles you to ask what data an organisation holds about you and why by submitting a ‘data subject access request’ (also known as a 'SAR', or a 'DSAR'). In plain English, a data subject access request (DSAR) is when a person asks:
- what do you know about me?
- what do you think about me?
- what do you think you know about me?
- what are you doing with it all?

Organisations must respond to your request within one month, although this can be extended if the request is complex. In most cases the organisations cannot ask you to pay a fee for them to supply this information to you. The Law provides for certain, limited and specific exemptions to this right, as it does for most rights. 

We have prepared this guidance for individuals who wish to make a DSAR it contains more information specifically about DSARs, how to make one, what you 
should receive back, and what to do if you’re not happy with what you receive.

Read more about DSARs here. 

If an organisation is processing your personal data for direct marketing purposes, you have a right to require them to stop. You should write directly to the organisation concerned to make any such request and they must stop sending you material when asked.

This right applies in the following two circumstances.

The first is: where an organisation says it is processing your personal data based on the grounds that is in their ‘legitimate interests’.

The second is: where a public authority says it is processing your personal data based on the grounds that is in the ‘public interest’.

In both of the above circumstances, you have a right to request that they cease processing your personal data. You should write directly to the organisation or public authority concerned to make any such request.

In either case if you make such a request the organisation must stop the processing unless it can prove that the public or legitimate interest in that processing continuing outweighs your ‘significant interests’.

If an organisation is processing your personal data based on it being necessary for historical or scientific purposes, you have a right to request it stops processing. You should write directly to the organisation concerned to make any such request. If the controller is a public authority, it is required to have a data protection officer whom you can contact. As above, when you make such a request, the organisation must stop the processing unless the controller is a public authority and can demonstrate that the public interest in that processing continuing outweighs your ‘significant interests’.

If you dispute the accuracy or completeness of personal data about you, you have the right to require the controller to rectify or change the data. You should write directly to the organisation concerned to make any such request. If the controller is a public authority, it is required to have a data protection officer whom you can contact.

For data processed in certain circumstances (please refer to section 21 of the Law for full details) you have a right to require the controller to erase your personal data. This right is sometimes referred to as a ‘right to be forgotten’. You should write directly to the organisation concerned to make any such request. If the controller is a public authority, it is required to have a data protection officer whom you can contact.

For data processed in certain circumstances (please refer to section 22 of the Law for full details) you have a right to obtain a restriction of processing by the controller. You should write directly to the organisation concerned to make any such request. If the controller is a public authority, it is required to have a data protection officer whom you can contact.

‘Automated decision making’ often means that no human is involved in the processing of personal data. The Law recognises that individuals should be protected against unfair and harmful practice and provides you with a right not to be subjected to an automated decision. In accordance with your rights under section 12 of the Law (see right #1 above) you should be made aware of all such processing by the organisation when it first asks you to provide your data.

This element of the Law allows you to instruct for your personal data to be transmitted from one organisation who acts as a ‘controller’ of your data to another organisation who you wish to have control of your data (e.g. moving your medical records from one GP practice to another). The Law sets out certain requirements for controllers to ensure such requests can be handled easily. We have prepared further guidance in this area that you might find useful.