The GDPR also defines a set of rights that every natural person has. This list is what makes the GDPR a good legislation. Everyone has the right to:
- Be informed about processing activities processing its personal data. The information must be transparent.
- Get access to any personal data being processed.
- Export any personal data that the person has provided to a portable format.
- Correct any erroneous data.
- Delete its data (or be forgotten).
This right is not absolute. It depends on the legal foundation of the processing activity. For activities based on consent, the right is absolute. For processing activities based on legitimate interest, all data that the controller does not have compelling reasons to maintain must be deleted. For processing activities based on a contract or legal obligation, no right to delete data exists.
- Object to and restrict any processing of personal data while the status of the data is disputed.
- Withdraw consent from any processing activity based on consent. It must be as easy to withdraw consent, as it was to give it.
- Avoid being subject to automatic decisions having negative consequences (in a legal sense) based on automatic profiling.
If a data subject corrects, objects to, restricts, or deletes any personal data, the controller must make sure this is propagated to everyone with whom the data has been shared, as long as this is technically possible.