GDPR: rights of the individual and privacy information

The GDPR provides the following rights for individuals:

  1. The right to be informed.
  2. The right of access.
  3. The right to rectification.
  4. The right to erasure (aka the right to be forgotten).
  5. The right to restrict processing.
  6. The right to data portability.
  7. The right to object.
  8. Rights in relation to automated decision making and profiling.


In brief

Under the GDPR, individuals have the right to be informed about the collection and use of their personal data.

This is one of the key transparency requirements.

It’s all about providing people with clear and concise information about what you do with their personal data.


What information must be provided?

Article 13 of the GDPR sets out the information that’s to be provided to individuals where their personal data is being collected and processed.

This information includes:

  1. The identity and contact details of the data controller (i.e. managing agent) and, where applicable, of the controller’s representative.
  2. (If a data protection officer has been appointed) the name and contact details of that DPO.
  3. The purposes of the processing as well as the legal basis for the processing.
  4. (Where the processing is based on legitimate interests) the legitimate interests relied upon.
  5. The recipients or categories of recipient of the personal data.
  6. Details of any transfers to a third country or international organisation together with details of the appropriate safeguards.
  7. Retention periods for the personal data.
  8. The rights available to individuals in respect of the processing.
  9. The right to lodge a complaint with the ICO.
  10. (If the personal data is obtained from another source) the source of the personal data.


When should this privacy information be provided?

When you collect personal data from individuals, you must provide them with the privacy information at the time you obtained their data.

If the personal data is obtained from another source (other than the individual that it relates to) you need to provide that individual with privacy information within a reasonable period of obtaining the data and no later than one month.