Your rights under the GDPR
The GDPR strengthens your rights and gives you much more control over your personal data. It also imposes more obligations on companies who control and process your data. You have more rights under the GDPR about how your personal data is handled and processed. Data controllers and processors are required to comply with the Regulation.
Under the GDPR, your personal data is data that relates to or can identify you either by itself or together with other available information. Examples of personal data include your name, phone number, bank details and medical history.
You are a data subject when you are the person to whom the personal data relates.
Data controllers and data processors are organisations that collect or use your personal data. You can read about the obligations of data controllers and processors under the GDPR and about the concepts and principles involved.
This document outlines your rights as a data subject under the GDPR.
The Data Protection Act 2018 was signed into law on 24 May 2018.
Where we mention “current legislation” in this document, we refer to the situation up to this date. This document will be updated as more information becomes available.
Collection of your data
Under the GDPR, when your personal data is collected either directly or indirectly from you, the controller should give you the following information:
- Identity and contact details of the controller or their EU representative
- Contact details for the data protection officer
- Purpose of the processing intended and its legal basis
- If the legal basis is a "legitimate interest" of the controller, what that interest is
- The intended recipients of the data
- Any intention to transfer the data outside the EU and if so, the data safeguards in that country
- The period for which the data will be stored or the basis for determining that period
- Your right to request access, rectification, erasure, restriction of use, objection of use and data portability
- Your right to lodge a complaint to a supervisory authority
- Whether you must provide your data as part of a statutory or contractual requirement and the consequences of not providing the data
- The existence and logic of any automated decision-making or profiling processes
If the controller intends to process your data for a purpose other than the purpose for which it was collected, the controller must provide you with information about this purpose before processing begins.
Your right to access your data
Both the current Irish legislation and the GDPR provide you with a right to see a copy of any personal data held by a controller about you. If you believe a person or organisation is processing personal data about you, you can request that they tell you whether they are processing this data. If your data is being processed you will be able to request a copy of that data to be sent to you. The controller will be able to charge a reasonable administrative fee for this. Under the current legislation, the fee cannot be more than €6.35.
You are entitled to the following information:
- The purposes of the processing
- The categories of data being held
- The identity of any recipients who may see this data
- The period for which it will be stored
- Your right to lodge a complaint with a supervisory authority
- Where the information was not collected from you, information about the source
- The use of any automated decision-making processing and information about that process
- If the data is being transferred to a country outside the EU, the data safeguards in that country
Your right to have your data rectified, restricted or erased
Both the current Irish legislation and the GDPR provide you with the right to request controllers to rectify inaccurate or incomplete personal data they hold about you.
You currently have a right to restrict a controller from processing your personal data where:
- The accuracy of the data is in question
- The processing of the data is unlawful
- The controller no longer needs the data for the original purpose but it is required by you for other reasons
- You have challenged the legal basis for the processing
Once the processing has been restricted, the controller must inform you before lifting that restriction.
Under the GDPR you have a strengthened right of erasure. You can request a controller to erase your data and a controller has an obligation to erase your data if one of the following applies:
- The data is no longer needed for the purpose it was collected
- You have withdrawn your consent to the processing of your data
- You object to the processing of your data
- There is no lawful basis for the processing
- The data must be erased to comply with law
- The data was collected in relation to an offer of online services
The right of erasure also includes the right to have publicly available personal data erased or as far as technologically possible, removed from public availability.
The GDPR also gives legislative effect to the right to be forgotten procedure. The right to be forgotten is a right to have search engine results that relate to you, or to a certain incident concerning you, removed from internet search listings once that information is no longer relevant. For example, if an online search for your name turned up a link to a photograph of you that you believe is no longer relevant for the purpose for which it was collected, you can request that the search engine remove that link from its search results. However, the right to be forgotten is not an absolute right and requests under the procedure are assessed on a case-by-case basis.
The right of erasure does not apply where processing is necessary because of an overriding freedom of expression, legal or public interest.
Your right to move or transfer your data
The GDPR introduces the right to data portability. This means that you can request and receive personal data that you have previously provided to a controller in a commonly used and machine-readable format. The right also means that you can request one controller to transfer your personal data to another controller.
Your right to object to the use of your data
The right to object means that you have the right to object to the processing of your data at any time - for example, to prevent your data being used for marketing purposes, including profiling. The controller must stop processing your data unless they can show that there are legitimate grounds or legal reasons for such processing that override your interests.
Your right to not be affected by a decision based on automated processing
Your right to not be affected by a decision based on automated processing is also strengthened under the GDPR. Where a decision is to be made about you that will have significant legal effects, you will have the right to avoid any automated decision-making processing, for example, the decision being made by a bank’s loan approval software. A controller must provide human intervention in the decision-making process if you request it.
Your right to information about the protection of your data
Data controllers must have appropriate measures to comply with your rights and must provide information to you in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
If a controller does not comply with a request from you, the controller must give you reasons for this and should inform you of your right to make a complaint to the supervisory authority.
These rights will not apply where the data can no longer identify you.