The rights of individuals, set out in Articles 15 - 22 of the Applied GDPR, are:
- Right to information about processing
- Right of access
- Right to rectification
- Right to erasure (’right to be forgotten’)
- Right to restriction of processing
- Right to data portability
- Right to object to processing
These rights can only be exercised against controllers who must respond in a timely and appropriate manner.
Regulation 140 of the Implementing Regulations makes it clear that the exercise of rights, or the associated obligations of controllers, cannot be removed or restricted by any enactment or rule of law which otherwise prohibits or restricts the disclosure of the personal data or authorises the withholding of such personal data.
Individuals can take remedial actions against controllers or processors if they consider that their rights have been breached or there is non-compliance with the requirements of the law.
Article 12 of the Applied GDPR sets out general rules in respect of duties and procedural aspects of the rights, together with exceptions to those general rules.
General rules applying to the rights
- Controllers must “facilitate” the exercise of data subject rights
- Controllers must take action to respond to individuals’ requests to exercise rights and either confirm that action is being taken or advise that no action is being taken, together with the reason for not taking action
- Action must be taken “without undue delay” and in most circumstances within ONE month of receipt of the request*
- Communications with data subjects about the exercise of their rights must be in writing in a clear, concise, transparent, intelligible, and easily accessible form, using plain and clear language, particularly when addressed to children or other vulnerable groups
- All communications and actions taken by the controller are generally free of charge**
- Controllers may seek additional information to identify the individual exercising their rights if it has “reasonable doubts” concerning their identity (not applicable to Article 22 of the Applied GDPR)
Exceptions to the general rules
Compliance period *
The compliance period is "without undue delay" and in any event within one month of receipt. (See Calculating "one month") Compliance with a request to exercise a right can be delayed by a maximum of TWO months, if necessary, where the requests are particularly complex or due to the volume of requests received.
If there is a delay, the reason for the delay must be explained to the individual within ONE month of receipt of the request.
If a request to exercise a right is manifestly unfounded or excessive, particularly due to repetition of the same request, the controller may charge a reasonable fee (based on administrative costs), or refuse to act. Controllers must be able to demonstrate why it believed the request to be manifestly unfounded or excessive.