The GDPR provides the following rights for individuals:
The right to be informed – this is done typically through a privacy notice that will need to be configured to match the data processing that will be undertaken.
The right of access – confirmation that an individual’s data is being processed, access to that information and other supplementary information.
The right to rectification – inaccurate or incomplete data needs to corrected. If this data has been passed on to a third party they also need to be informed of the rectification – the individual may also need to be informed of the third party.
The right to erasure (the right to be forgotten) – individuals can ask for their data to be deleted. This can be refused only if the data is being processed to exercise the right of freedom of expression and information; to comply with a legal obligation, public interest task or role of a local authority; public health purposes in the public interest; archiving, science/historical research or statistical purposes; or to defend against legal claims.
The right to restrict processing – when an individual exercises this right, only the original personal data can be stored.
The right to data portability – enable an individual to obtain and reuse their personal data. For example, they might want their usage data to enable them to find a better deal.
The right to object – the controller needs to stop processing the personal data unless they can demonstrate a reason to override the interests, rights and freedom of the individual this includes the establishment, exercise or defence of legal claim.
Rights in relation to automated decision making and profiling – organisations need to consider whether their process constitute (non-human) automatic decision-making.