The General Data Protection Regulation (GDPR) was enforced in the European Union on May 25, 2018. Its goal is to make certain that data protection regulations are evenly implemented on all member states. Data subjects have rights that are broadened under the GDPR providing them with increased control over how their personal data are collected, used or stored by businesses.
The 8 basic rights of data subjects are specified in the GDPR Chapter 3, Articles 12 to 23. These include:
Right to Access Personal Data
Article 15 allows data subjects the right to gain access to the data which a data controller collected. The data controller has one month to reply to the request of the data subject.
Right to Rectification
Article 16 allows data subjects the right to ask for the alteration of their data, for instance fixing errors and adding missing data.
Right to Erasure
Article 17 allows data subjects the right to halt processing of data and to erase, delete or to forget their personal data.
Right to Restrict Data Processing
Article 18 allows data subjects the right to ask the data controller to halt all processing that include their personal data according to specific conditions.
Right to be Notified
Article 19 declares that data controllers must notify data subjects clearly about how the collected personal data will be used; the necessary actions that data subjects can take in case their rights are impeded; and any modification or removal of their personal data.
Right to Data Portability
Article 20 allows data subjects the right to ask for the sending of their data to a third party. It could be furnished in a electronic format or using any machine readable format.
Right to Object
If a data controller doesn’t honor the request of a data subject to cease the processing of personal data, Article 21 allows the data subject the right to oppose the refusal of their request.
Right to Refuse Automated Personal Decision-Making
Article 22 allows data subjects the right to reject automated personnal data processing particularly if it will considerably impact the data subject or it is going to create legal effects for example in profiling.
The rights of data subjects in accordance with the GDPR aren’t absolute. In some circumstances, the aforementioned rights might not be granted. As an example, the data subject could not claim the right to prohibit data processing when it’s required for the prevention, scrutiny or prosecution of criminal acts. Data subjects could access their own data file when it doesn’t negatively impact other persons’ rights and freedoms.
Data controllers ought to know really well the legal rights of data subjects under the GDPR. They must also be aware when those rights could be refused and if fees may be charged for granting data subjects’ requests.