Chapter 1

Rights of individuals

[page 14]

Individuals have statutory rights in relation to the processing of their data. These are contained in Articles 12 to 24 and 34 of the UK GDPR:

• the right to be informed about their personal data being processed or held;

• the right to access their personal data;

• the right for mistakes to be corrected within one month, or two months if the request is complex;

• the right to erasure (the so-called “right to be forgotten”). This is not an absolute right, but it strengthens employers’ existing duty to hold identifiable data for no longer than reasonably necessary;

• the right to data portability, in other words, to receive their data in a structured, commonly used and machine-readable form and to be able to transmit it to another data controller without hindrance. This might be relevant when changing jobs;

• the right to restrict processing in some circumstances, for example, if an employer no longer needs data, but the worker needs it retained to pursue a legal claim;

• the right to object to processing in some circumstances;

• the right to protection from the risk of harmful decisions taken on an automated basis (that is, without human intervention); and

• right to safeguards where an organisation uses automated processing to “profile” personal characteristics, such as psychometric testing, to analyse or predict factors such as likely work performance or health.

This information is copyright to the Labour Research Department (LRD) and may not be reproduced without the permission of the LRD.

Data protection and monitoring An LRD guide to privacy at work (April 2024)

Rights of individuals