What rights does GDPR provide to consumers?

The General Data Protection Regulation (GDPR) is a comprehensive privacy law designed to protect the Personally Identifiable Information (PII) of residents of the European Union (also referred to as data subjects). GDPR achieves this goal by providing certain privacy rights to data subjects, which can be found in Chapter 3. GDPR requires Data Processors and Data Controllers to respect these rights, have a Privacy Policy, and have a lawful basis for processing PII. If you are unsure if GDPR applies to your website, make sure to read our article on who GDPR applies to. In this article, we will discuss the privacy rights that GDPR provides to consumers so that you have a good understanding of the requirements that you need to comply with. 

GDPR right #1: right to transparent information

First, GDPR provides consumers with the right to transparent information regarding the collection, use and disclosure of their PII. This requirement means that websites must have a GDPR compliant Privacy Policy that includes the following disclosures: 

  • Your identity and contact details; 
  • The contact information of your Data Protection Officer, if you have one; 
  • What PII your website collects; 
  • The purposes for which you will use the PII that you collect; 
  • A list of the rights that consumers receive under GDPR; 
  • The legal basis for processing; 
  • How long you store PII; 
  • Who you share PII with; 
  • Whether you use PII for direct marketing; 
  • Whether you use PII for automated decision making, including profiling; and 
  • Whether you intend to transfer PII to a third country or an international organization. 

The above disclosures need to be provided in your Privacy Policy, which should be: 

  • Concise, intelligible, and easily accessible; 
  • Written in clear and plain language; and 
  • Free of charge. 

GDPR right #2: right of access

GDPR also provides consumers with the right to access the PII that you hold on them, and access to supplemental information about that PII and your privacy practices. Upon submitting a request, the consumer is entitled to receive the following: 

  • Your purposes and the legal basis for processing the PII; 
  • Categories of PII that you are processing; 
  • Recipients or categories of recipients you disclose the PII to (including recipients located in third countries or international organizations); 
  • Your data retention period or the criteria used to determine that period; 
  • List of consumer rights provided by GDPR; 
  • The PII that you are processing (in writing) and the sources from which you have collected that PII. 

Since the data subject does not have to submit a request to exercise this right in writing, you should train your staff on how to spot this request and how to provide the information requested. You will need to respond to the request without undue delay and within one calendar month from the first day you receive this request. 

GDPR right #3: right to rectification 

Due to the fact that basing decisions on incorrect information can lead to negative effects on the data subject, the next right provided by GDPR is the right to rectification, meaning that you must correct any inaccurate PII that you hold about that data subject. Data subjects also have the right to have incomplete PII completed, including by providing a supplementary statement. 

If you have disclosed the PII to any third parties, you are also required to inform them of the rectification of PII and these third parties must update the PII that they have in their records as well. Finally, you are responsible for informing the competent authority (if any) which provided you with the PII. You must respond to a request to exercise this right without delay and within 30 days of receiving the request. 

GDPR right #4: right to erasure

The right to erasure (also called the right to be forgotten) means that individuals have the right to ask you to delete all of the PIII that you hold about them. This right can be exercised under the following circumstances only: 

  • The PII is no longer necessary for the purposes for which it was collected or processed; 
  • The individual withdraws consent on which the processed is based and there is no other legal ground under which you can process the PII; 
  • The individual objects to the processing under the right to object (discussed below), and there are no overriding legitimate grounds for the processing; 
  • The PII was unlawfully processed; 
  • The PII has to be erased for compliance with a legal obligation in the European Union or an EU member country law to which you are subject; or 
  • The PII has been collected in relation to the offer of information society services. 

If you have made the PII that the individual wants erased public, you will also need to inform others who are processing the PII to erase any links to, or copies or replications of the PII. Since modern businesses often hold PII in multiple infrastructure points, it is important that you have a good understanding of where data is stored and how it can be erased to be able to quickly and efficiently fulfill the request for erasure. 

GDPR right #5: right to restriction of processing

The next right that GDPR provides to consumers is the right to restrict processing, which means allowing you to use their PII for some purposes, but not for others. You may restrict the processing of PII via the following methods: 

  • Temporarily moving the PII to another processing system; 
  • Making the selected PII unavailable to users; or 
  • Temporarily moving the published PII from your website, 

You should ensure that the PII is clearly labeled as “restricted” and that your staff are aware of the restrictions placed on the PII. 

GDPR right #6: right to data portability

The next right that GDPR provides to consumers is the right to data portability, which means that the consumer has the right to receive the PII that you hold about them in a structured, commonly used, and machine-readable format. Data subjects also have the right to have you send that PII to someone else. This right applies only when the legal basis on which the processing is based on is consent or the performance of a contract. 

GDPR right #7: right to object 

Under GDPR, individuals have the right to object to the processing of their PII when such processing is based on the following legal bases: 

  • Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in you; or 
  • Processing is necessary for the purpose of legitimate interests pursued by you or by a third party. 

Data subjects also have the right to object to the use of their PII for the purpose of direct marketing. If you receive an objection to processing, you must cease using the PII for those purposes unless one of the limited exceptions apply. 

GDPR right #8: automated decision making and profiling 

Under GDPR, consumers have the right not to be subject to decisions based solely on automated processing, including profiling, which produces legal effects concerning him or her or produces similar effects. Because processing of this nature can produce negative effects on the data subject, your processing of PII for these purposes should be accompanied by appropriate safeguards, including specific information to the data subject and the following rights: 

  • The right to human intervention; 
  • The right for the data subject to express their point of view; 
  • The right to obtain an explanation of the decision reached after assessment; and 
  • The right to challenge that decision. 

If GDPR applies to your website, you need to ensure that you are aware of and respect all of the rights enumerated above. Since individuals have a right to transparent information, you need to ensure that your Privacy Policy makes the appropriate disclosures and informs data subjects of their rights. Use Termageddon’s Privacy Policy generator to create your GDPR ready Privacy Policies and avoid fines and penalties

Categories GDPR