Individual Privacy Rights: Quick Guide

May 2025

We all have privacy rights, we should be told about our rights and organisations need to be ready to fulfil them. Some rights are more commonly exercised than others. Some organisations routinely receive multiple requests, while others only get a handful. But even if your organisation has never received a privacy rights request, it pays to be prepared.

The eight privacy rights are:

  1. The right to be informed
  2. The right of access
  3. The right to rectification
  4. The right to erasure
  5. The right to object
  6. The right to restrict processing
  7. The right to data portability
  8. Rights in relation to automated decision making and profiling.

It’s the responsibility of organisations acting as controllers to fulfil privacy rights requests, with their processors assisting, as necessary. (Controller or processor?)

Here are some key actions organisations need to take (by no means an exhaustive list):

Notify

Tell people about their rights and how to exercise them; routinely achieved via a privacy notice.

Training & awareness

Make sure employees understand what rights people have, and importantly what to do if they receive one. Overlooked or missed requests could result in unwelcome complaints.

Specialist skills

Make sure those staff responsible for fulfilling requests have appropriate skills and knowledge.

Privacy by Design

Build systems and processes with privacy rights in mind. Make sure legacy systems are also fit for purpose. Can data be easily retrieved, amended or deleted?

Procedures

Implement robust procedures for handling requests, bearing in mind each right has different requirements and nuances to consider.

Log

Keep a log of all requests received and their status.

Complaints

Tell people of their statutory right to lodge a complaint with a data protection authority (e.g. the UK’s Information Commissioner’s Office).

Summary of individual privacy rights

(Please take any use of the term GDPR to mean the EU version and UK GDPR)

1. The right to be informed

This right is closely aligned with transparency requirements; organisations must be open and upfront about how they’re using people’s personal data. GDPR sets out specific information which must be provided to inform people. Whenever personal data is collected people must be told the purposes it will be used for, who it will be shared with, how long you are likely to keep it and so on.

This is why privacy notices are so important. They should cover legally required privacy information, and be at hand when people provide you with their personal data.

The right to be informed also applies when personal details are acquired indirectly from another source, not directly from the individual themselves. For more detail, see the ICO Right to be informed guidance.

Tip: In most circumstances this right will apply, but it isn’t an absolute right. It doesn’t need to be fulfilled where doing so would prove a ‘disproportionate effort’, or in circumstances where it conflicts with another statutory obligation, for example an obligation of secrecy.

2. The right of access

Commonly referred to as a Data Subject Access Request – DSAR/SAR. This gives people the right to receive a copy of their personal data, plus other supplementary information. A third party (such as a relative or solicitor) can make a request on behalf of another person.

Requests must be fulfilled at the latest within one calendar month. The time period for responding can be extended for particularly complex cases.

Some DSARs are relatively straightforward, while others can be tricky and nuanced to fulfil, with careful judgement calls to make.

You can only refuse to provide information if an exemption or restriction applies, or if you judge a request to be manifestly unfounded or excessive. For more information about how to prepare and fulfil requests, see our DSAR Guide.

Tip: It’s not a right to documentation! Just because someone is referenced in an email or document, doesn’t mean the whole email chain or document is their personal data.

3. The right to rectification

If someone realises the information you hold about them is inaccurate or incomplete they can request it’s corrected or completed. Organisations have up to one calendar month to respond.

Tip: This isn’t an absolute right, and in certain circumstances you can refuse a request, if you dispute the accuracy of what the individual is claiming.

4. The right to erasure

As the name suggests, people have the right to request their personal data is erased from your systems and physical records if you no longer have a compelling lawful reason to keep it. This applies to ALL systems, back-ups and even data held in the cloud. It will apply if the personal data is no longer necessary or a person withdraws their consent.

It’s also sometimes referred to as the ‘Right to be Forgotten’, in an online context.

As with some other rights, you must respond within one calendar month. Even if you lawfully refuse to comply with a request (either in part, or in full), you must still respond to the individual and explain why you can’t delete their data.

In some cases this right can be relatively straightforward to fulfil if you have limited records for an individual and no reason to keep them, but equally important is making sure you don’t inadvertently destroy personal data you should have held on to. This is where having a clear data retention schedule can be really helpful, so you can easily identify where you have lawful justification for not erasing personal data.

Tip: See our 10 tips for managing erasure requests.

5. Right to object

People have the absolute right to object to their personal details being used for direct marketing. Such objections must be honoured in every case. When personal data is used in other ways, people have the right to object to how their information is being processed, but you don’t have to fulfil this right if you can demonstrate compelling legitimate grounds to continue the processing.

Again, you have one calendar month to respond to an objection, and must inform people if you are denying their request, along with your justification.

6. The right to restrict processing

In our experience this right, which gives people the right to restrict your processing of their personal data, is less commonly exercised. But if you receive a request, you can store their data but not use it. Routinely this would be for a limited time period.

This right can be closely associated with other rights such as the right to object or a rectification request. For example, someone might exercise this right if they’re disputing the accuracy of information you hold about them, or objecting to you using their data for a particular purpose. Also see the ICO Right to Restrict Processing Guidance

7. The right to data portability

This right allows people to easily reuse the personal data you hold about them for other purposes, including requesting it’s transferred to another organisation. (In many sectors data portability requests are rare).

This right only applies when your lawful basis for processing the individual’s data is either consent or performance of a contract, and where your processing is automated. The right doesn’t apply if the processing is necessary for a task carried out in public interests or when exercising power from an official authority. Also see the ICO’s Data Portability Guidance.

Tip: It’s worth noting the right to portability applies to data relating to an individual’s behaviour, and could include location data, website history and more.

8. Rights related to automated decision-making including profiling.

People have the right not to be subjected to solely automated decision-making (including profiling) which has a legal or similarly significant effect. For a decision to be solely automated there must be no meaningful human involvement in the process.

Article 22 of GDPR sets out that solely automated decision-making is only permitted when necessary for entry into performance of a contract, is authorised by applicable law or is based on the individual’s consent.

Furthermore, if you’re using special category personal data you can only carry out processing described in Article 22(1) if you have the individual’s explicit consent or the processing is necessary for reasons of substantial public interests. It’s worth noting this is subject to change under the UK Data (Use & Access) Bill.

Organisations are obliged to give people information about solely automated decisions (with legal or similarly significant effect), and individuals have a right to request human intervention or challenge a decision made about them.

Tip: Be aware the increased use of AI tools, especially in recruitment processes, could be leading to more solely automated decisions which could have a legal or similarly significant effect.

Although there are eight privacy rights, some organisations might never receive requests such as restriction or data portability. So while it’s important to be aware of them all, realistically most organisations will focus on making sure they have robust procedures for handling the types of requests they’re most likely to receive. But just remember, even if you are yet to receive a DSAR, when you do you’ll be pleased you planned for it.

As a data protection consultant since 2015, Philippa advises and supports a broad range of clients, and delivers data protection training. She also regularly writes GDPR guides to support data protection teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.