Rights of individuals

Individuals have statutory rights in relation to the processing of their data. These are contained in Articles 12 to 24 and 34 of the UK GDPR:

• the right to be informed about their personal data being processed or held;

• the right to access their personal data;

• the right for mistakes to be corrected within one month, or two months if the request is complex;

• the right to erasure (the so-called “right to be forgotten”). This is not an absolute right, but it strengthens employers’ existing duty to hold identifiable data for no longer than reasonably necessary;

• the right to data portability, in other words, to receive their data in a structured, commonly used and machine-readable form and to be able to transmit it to another data controller without hindrance. This might be relevant when changing jobs;

• the right to restrict processing in some circumstances, for example, if an employer no longer needs data, but the worker needs it retained to pursue a legal claim;

• the right to object to processing in some circumstances;

• the right to protection from the risk of harmful decisions taken on an automated basis (that is, without human intervention); and

• right to safeguards where an organisation uses automated processing to “profile” personal characteristics, such as psychometric testing, to analyse or predict factors such as likely work performance or health.