Rights

The rights of individuals, set out in Articles 15 - 22 of the Applied GDPR, are:

• Right to information about processing
• Right of access
• Right to rectification
• Right to erasure (’right to be forgotten’)
• Right to restriction of processing
• Right to data portability
• Right to object to processing

These rights can only be exercised against controllers who must respond in a timely and appropriate manner. Regulation 140 of the Implementing Regulations makes it clear that the exercise of rights, or the associated obligations of controllers, cannot be removed or restricted by any enactment or rule of law which otherwise prohibits or restricts the disclosure of the personal data or authorises the withholding of such personal data.

Individuals can take remedial actions against controllers or processors if they consider that their rights have been breached or there is non-compliance with the requirements of the law. 

Article 12 of the Applied GDPR sets out general rules in respect of duties and procedural aspects of the rights, together with exceptions to those general rules.

General rules applying to the rights 

• Controllers must “facilitate” individuals to exercise their rights
• Controllers must respond to individuals’ requests to exercise rights and, where requests are made electronically, the information should, as far as possible, be provided electronically unless otherwise requested by the individual
• All communications and actions taken by the controller are generally free of charge*
• Communications must be in a clear, concise, transparent, intelligible, and easily accessible form, using plain and clear language, particularly when addressed to children or other vulnerable groups
• Controllers may seek additional information to identify the individual exercising their rights if it has “reasonable doubts” concerning their identity (not applicable to Article 22 of the Applied GDPR)
• Compliance must be “without undue delay” and in most circumstances within ONE month of receipt of the request**

Exceptions to the general rules

Fees *

If a request to exercise a right is manifestly unfounded or excessive, particularly due to repetition of the same request, the controller may charge a reasonable fee (based on administrative costs), or refuse to act.  Controllers must be able to demonstrate why it believed the request to be manifestly unfounded or excessive.

Compliance period **

The compliance period is "without undue delay" and in any event within one month of receipt. (See Calculating "one month") Compliance with a request to exercise a right can be delayed by a maximum of TWO months, if necessary, where the requests are particularly complex or due to the volume of requests received. 

If there is a delay, the reason for the delay must be explained to the individual within ONE month of receipt of the request.