Data Subject Rights
The UK GDPR includes a set of important rights for individuals:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision-making and profiling
Explaining Rights to Individuals
It is important that individuals are aware of their rights with respect to their personal data, and how to exercise those rights. The best place to provide such information is in your privacy information (also referred to as a privacy policy or privacy notice). You may also wish to explain individuals’ rights in more detail elsewhere, and we offer a customer-facing policy designed for this, as detailed below.
Document Templates Available
We have a range of document templates available to assist in dealing with data subject rights. The right to be informed is covered by a separate set of documents, as described here. Similarly, we have provided a dedicated set of documents for the right of access (subject access requests), as set out here.
- Our Data Subject Rights Policy, mentioned above, is a customer-facing policy which explains individuals UK GDPR rights in detail and provides helpful information on how to exercise those rights.
- Our Data Subject Rights Guidance Notes explain the rights in detail and are designed to help you better understand how to protect individuals’ personal data and their UK GDPR rights.
As with our subject access request documents, a set of template letters is available to assist in responding to requests from individual data subjects to exercise their rights:
- Data Subject Rights Letter – Acknowledgement is a straightforward response to an uncomplicated request where no additional information, proof of ID, etc. is required.
- Data Subject Rights Letter – Acknowledgement + ID Request is designed for cases where you might have reason to doubt the identity of the individual making the request.
- Data Subject Rights Letter – Acknowledgement + Fee Request is designed for unusual cases in which it is permissible to charge a fee (this is generally not allowed), i.e., where the request is “manifestly unfounded or excessive”.
- Data Subject Rights Letter – Receipt of ID acknowledges your receipt of the individual’s proof of identity and sets out your time frame for a full response.
- Data Subject Rights Letter – Receipt of Fee acknowledges your receipt of a fee for a manifestly unfounded or excessive request and sets out your time frame for a full response.
- Data Subject Rights Letter – Additional Time Required is designed for a limited number of scenarios in which it is permissible to take longer than one month to respond to a request.