What is Personal Data?
The GDPR applies to personal data of individuals residing in the EU or EU nationals working outside the EU. This is any information that can directly or indirectly identify an actual person, and can be in any format. In addition, the Regulation places much stronger controls on the processing of special categories of personal data.
|Personal Data||Special categories of Personal Data|
Online behaviour (cookies)
Profiling and analytics data
Trade union membership
The Rights of the Individual
The GDPR provides the following rights for individuals:
The right to be informed: The right to be informed encompasses your obligation to provide ‘fair processing information’, typically through a privacy notice. It emphasises the need for transparency over how you use personal data
The right of access: Individuals have the right to access their personal data and supplementary information such as how their data is being processed. Information must be provided free of charge and at the latest within one month of receipt.
The right to rectification: The GDPR gives individuals the right to have personal data rectified if it is inaccurate or incomplete.
The right to erase: To enable an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing.
The right to restrict processing: Individuals have a right to ‘block’ or suppress further processing of personal data. When processing is restricted, you are only permitted to use just enough information to identify the user’s preference that none of their data should continue to be processed. You are further permitted to store any existing personal data you hold on the user as long as you do not use it further.
The right to data portability: Users’ right to request a copy of personal data in a format usable by them and electronically transmissible to another processing system.
The right to object: Individuals have the right to object to processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling), direct marketing and processing for purposes of scientific/historical research and statistics.
Rights in relation to automated decision making and profiling: Automated decision-making can only be used where the decision is necessary for the entry into or performance of a contract; authorised by Union or Member state law applicable to the controller; or based on the individual’s explicit consent.