This is the 4th blog in our series about GDPR. We have already covered the basics definitions, the core principles that underpin the new regulation and the legal bases you have for processing personal data. In this blog we will talk about what rights data subjects have under GDPR.

So under the current Data Protection Act, the data subject already has a number of rights but they are not always made clear. Under GDPR, data subjects get a few more rights and will now have to be made aware of them so they can invoke them should they want to.

The Data Subject now has these rights:

1. Access
2. Rectification
3. Erasure (Right to be forgotten)
4. Restriction of processing
5. Portability
6. Objection to processing
7. Automated decision making including profiling

They have recently added “Right to be informed” but this right is covered by your Privacy Notice.

We will now go through each of these and make suggestions on how to deal with these rights being invoked.

1. Access

When we talk about access this usually refers to Subject Access Requests (SAR). These are not new under GDPR but there have been some new rules applied to them.

• Controllers must provide the data subjects with access to a copy of their personal data if they make a written request – so the individual must make the request themselves.


• Data subjects are entitled to the following information:
• A description of the personal data
• The purposes for which is it being processed
• Recipients of the data – should you share their data with anyone.
• Retention period – how long you will hold their data and why.
• Their rights to rectification, erasure, restriction and objections.
• Any existence of automated decision making
• Any transfer safeguards that exist – if you transfer their data to other places what security and safeguards do you have in place.


• A copy of the information must now be provided within 1 month and at no fee.
• This has changed from the current rules.
• You may charge for further copies of the same information. The fee must be based solely around administration costs.
• You can extend the period to 2 months when there is a lot of information. You must inform the individual within 1 month and explain why you need to extend.
• You can charge a reasonable fee when the request is manifestly unfounded or excessive, particularly if it is repetitive.
• Their rights to rectification, erasure, restriction and objections.
• You must charge the fee based solely on administration costs
• In this case you do have the right to refuse to respond. You must inform the data subject that you are not fulfilling the request and inform them of their right to complain to a supervisory authority and to a judicial remedy without undue delay.


• You must provide the data in reasonable means – if the request is made electronically you should provide it in an electronic format.

2. Rectification

Data subjects are entitled to require the controller to rectify any errors in their personal data.

You must request must be fulfilled within 1 month.

HOWEVER in some cases this is NOT an absolute right and healthcare is one of them. If someone comes in and asks you to change your diagnosis of a problem, you do not have to do this provided all of the symptoms pointed to it being the diagnosis you gave.

If you are not taking action you must explain this to the individual within 1 month, informing them to their right to complain to the supervisory authority and to a judicial remedy.

3. Erasure (Right to be forgotten)

Data subjects are entitled to ask the controller to delete their personal data.

BUT in most cases, provided that an organisation has a lawful basis for processing personal data, it will not be significantly affected by the right to be forgotten.

Due to your legal obligations to hold patient data for a certain length of time means this is not an absolute right for your patients.

4. Restriction to processing

Data subjects may be entitled to limit the purposes for which the controller can process their data.

Examples of when this can happen:

• When accuracy is contested – if they believe the data is inaccurate they can restrict processing of the inaccurate data.
• Processing is unlawful – if the data subject believes your legal basis for processing is not justified.
• Data is no longer needed by the controller but the individual requires it for establishment, exercise or defence of legal claims.

5. Data Portability

Data subjects have the right to transfer their personal data between controllers. What this basically means is that they can obtain and reuse their data for their own purposes and move to another provider.

Personal data should be provided in a structured, commonly used format. Ensure you respond to this right within 1 month.

6. Object to processing

A controller must have a legal basis for processing personal data.

Where the lawful basis is either legitimate interests or public interests, those lawful bases are not absolute and data subjects may have the right to object to such processing.

Data controllers are obliged to consider the request but not necessarily action it. If you do not action it you must let the data subject know AND justify your reason for not carrying out the request.

However an individual always has the right to object to direct marketing. So regardless of any other basis, you must STOP marketing to them if they unsubscribe. The best way to ensure you cover this right is to offer an unsubscribe link at the bottom of all emails.

7. Right not to be evaluated on the basis of automated processing

Data subjects have the right not to be evaluated in any material sense solely on the basis of automated processing of personal data.

Exceptions to this include:

• When it is necessary entering into or performance of a contract
• An example of this would be getting a car insurance quote – you enter a lot of information in and they make a decision based on that information.


• When it is authorised by Union or Member State Law


• When an individual’s explicit consent has been obtained
• So if you want to carry out automated decision making, ask your patients for their consent – you will then be able to carry out this processing.

If you do any automated decision making, you must offer individuals opportunities to introduce human intervention – this is a right.

In your clinic it is very unlikely that you will carry out automated decision making, as you treat all patients as individuals, but we thought it was worth mentioning.

So these are all of the rights that data subjects have. It is very important that you have a process/procedure in place in the event that one of these rights are invoked by a patient or someone you hold personal data on.