Under the GDPR, individuals have the following rights relating to their personal data:
- Right to access various information about their personal data;
- Right to rectify to ensure the accuracy of their personal data;
- Right to request erasure of their personal data;
- Right to restrict the processing of their personal data;
- Right to retrieve or transmit their personal data (i.e., portability request);
- Right to object to the processing of their personal data; and
- Right to not be subject to automated decision-making.
Upon receiving an individual’s request to exercise one or more these rights, businesses are generally required to respond by providing information taken on the request(s) without undue delay and within 30 days. Businesses also need to verify the requestor’s identity and should determine whether an exception to responding applies. If you receive an individual rights request, we recommend that you speak to legal counsel to make sure you are responding appropriately and not inadvertently giving up a defense, e.g., if an individual makes an erasure request based on withdrawal of his or her consent but you are processing the data based on legitimate interests.