UK GDPR: Data Subject Rights (Articles 15-22)
Data Subject Rights [Arts 15-22]
Rule: Individuals have rights over their personal data. You must respond within 1 month.
| Right | What it means | Citation |
|---|---|---|
| Access | Copy of their data | Art 15 |
| Rectification | Correct inaccurate data | Art 16 |
| Erasure | Delete their data (“right to be forgotten”) | Art 17 |
| Restrict processing | Limit how you use data | Art 18 |
| Data portability | Receive data in machine-readable format | Art 20 |
| Object | Stop processing (esp. marketing) | Art 21 |
| Automated decisions | Human review of automated decisions | Art 22 |
Response deadline: 1 month, extendable to 3 months for complex requests [Art 12(3)]
Source Text (Article 15 - Right of Access)
- The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information…
1A. Where a data subject makes a request under paragraph 1, the data subject is entitled to receive only such confirmation, personal data and other information as the controller is able to provide based on a reasonable and proportionate search.
The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs.
The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others.