Data subject rights

The GPDR provides a number of rights to data subjects. Each right is applicable in certain circumstances or conditions. Further information can be found below. There is a table detailing the legal bases for processing and which rights apply to each basis below and on page 3 of the Data Subject Rights guidance PDF.

Data subject rights

Right of access

Individuals have a right to request a copy of any personal data that the University holds on them, and to request details regarding that data’s use, retention and any relevant sharing of the data.

The right of access is generally applicable, with exemptions in specific, limited circumstances.

Right to rectification

If personal data is inaccurate, out of date, or incomplete, individuals have the right to correction, update or completion of that data.

This right does not apply if the use or storage of the data is necessary for:

  • compliance with a legal obligation, or for performance of a task carried out the in the public interest or in the exercise of official authority
  • public health reasons
  • for archiving in the public interest, scientific or historical research purposes or statistical purposes and erasure would seriously impair these objectives
  • for the establishment, exercise or defence of legal claims

exercising the right of freedom of expression and information

Right to erasure

Individuals can request that their personal data is erased or destroyed. Also known as the “right to be forgotten”.

This right is applicable if:

  • the data are no longer needed for the purposes for which they were collected
  • consent was given to obtain the data and consent has been withdrawn
  • the data subject objects to the processing and the University has no overriding legitimate grounds to keep the data
  • the data has been unlawfully processed, e.g. the University cannot meet an appropriate processing condition for using/holding it
  • the data must be erased to ensure compliance with a legal obligation

This right does not apply if the use or storage of the data is necessary for:

  • compliance with a legal obligation, or for performance of a task carried out the in the public interest or in the exercise of official authority
  • public health reasons
  • for archiving in the public interest, scientific or historical research purposes or statistical purposes and erasure would seriously impair these objectives
  • for the establishment, exercise or defence of legal claims
  • exercising the right of freedom of expression and information

Right to restriction

Individuals can request that the use or storage of their data is restricted in a manner of the individuals’ choosing.

This right is applicable if:

  • the accuracy of personal data is contested by the data subject
  • the use or storage of the data is unlawful and the data subject opposes erasure
  • the University no longer needs the data but the individual needs the data for the establishment, exercise or defence of legal claims
  • the individual has objected to the processing and verification of the legitimate grounds of the University to override the objection is pending

Right to data portability

Individuals have the right to both receive their personal data in a structured, commonly used and machine-readable format and to transmit those data to another organisation.

This right is applicable if:

  • the data subject has provided the personal data to the controller
  • the use or storage of the data is based on consent or on a contract
  • the use of the data is carried out by automated means

Right to object

Individuals have the right to object at any time to the use or storage of their personal data.

This right is applicable if:

  • the use or storage of the data  is based on public interest tasks or legitimate interests
  • the data are being used or stored for direct marketing purposes

This right does not apply if the University has compelling legitimate grounds for the use or storage of the data which either override the interests, rights and freedoms of the individual, or are necessary for the establishment, exercise or defence of legal claims

Automated individual decision-making, including profiling

Individuals have the right not to be subject to automated processing, including profiling.

This right is applicable if:

  • the automated processing results in a decision with a legal or similarly significant effect on the individual

This right does not apply if the decisions resulting from the automated processing:

  • are necessary for entering into or the performance of a contract between the individual and the University
  • are authorised by UK or EU law
  • are based on the individual’s explicit consent

What are your rights under GDPR? (PDF table)

Putting in a GDPR request

If you would like to log a request under one of your GDPR rights, please complete the request webform.