Right to be informed
For processing to be lawful under the GDPR, you need to identify a lawful basis before you can process personal data. It is important that you determine your lawful basis for processing personal data and document this.
Right of Access
Individuals have the right to obtain:
– Confirmation that their data is being processed
– Access to their personal data
– Other supplementary information.
Right to Rectification
Individuals are entitled to have personal data rectified if it is inaccurate or incomplete within one month.
If you have disclosed the personal data in question to third parties, you must inform them of the rectification where possible. You must also inform the individuals about the third parties to whom the data has been disclosed where appropriate.
Right to Erasure
The right to erasure is also known as ‘the right to be forgotten’. The broad principle underpinning this right is to enable an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing.
Right to Restrict Processing
When processing is restricted, you are permitted to store the personal data, but not further process it. You can retain just enough information about the individual to ensure that the restriction is respected in future.
Right to Data Portability
The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.
Right to Object
You must comply with the right to object if you process personal data for the performance of a legal task or your organisation’s legitimate interests. Individuals must have an objection on ‘grounds relating to his or her particular situation’.
Rights in relation to automated decision making and profiling.
Individuals have the right not to be subject to a decision when: it is based on automated processing and produces legal effect or a similarly significant effect on the individual.
Privacy by Design
This means that each new service or business process that makes use of personal data must take the protection of such data into consideration during the design phase.