Your Rights as an Individual Under GDPR

At LeadiQ we care not only for our customers, but also the individuals in our database. Please review the data below to better understand your rights if you believe we have some of your information.

‍

In our rapidly evolving digital world, our personal information is everywhere. We are constantly being asked for our name and contact information to sign up for services on the Internet, and websites are tracking our behaviours often without us realizing. Against this backdrop, The General Data Protection Regulation (“GDPR”) was enacted in the EU to protect the personal data and privacy of EU residents and came into force on May 25th 2018.

GDPR is concerned with “personal data”, which encompasses personal information, such as name, e-mail, address, identification card numbers etc., as well as less obvious data taken from our GPS location, IP address or Cookie ID that allows a person to be identified. GDPR regulates how companies, located both within and outside of the EU, can lawfully handle EU personal data, and provides individuals with certain rights over their own data.

In this article, we’ll take a closer look at what our rights are as individuals under GDPR. To fully understand these rights, it is helpful to learn about the concept of “lawful basis of processing”. Companies that process personal data need to have a lawful basis for doing it, such as an individual’s consent or their own legitimate interest. There are six bases and we recommend that you read about them on the UK Information Commissioner's Office (ICO) website.‍

Individual Rights under GDPR

Chapter 3 of GDPR provides for eight specific rights that individuals have over their personal data.

To Be Informed:

What it is

When a company collects personal information about individuals, you have the right to be informed about that collection and the use of our data, including the purpose for processing our data, how long our data will be retained, and if/who it will be shared with. There are specific circumstances when companies do not need to inform you, for example, if you already know about it, or if they deem it would involve a disproportionate amount of effort to provide.

How it works

Companies usually rely on their Privacy Policy to inform individuals at the point in time the personal data is collected. For example, before you submit personal information to sign up for a service, individuals are asked to read and accept their Privacy Policy.

‍

Article 3(2) of GDPR states, “This Regulation applies to the processing of personal data of data subjects who are in the Union…”

‍

Access:

What it is

This is commonly known as Data Subject Access Requests (DSAR) and provides individuals with the right to obtain a copy of their personal data and also additional information about the processing of that data.

How it works

Some companies may have a webform or a contact specifically for these requests. There is no prescribed way to make this request, which can be done verbally or in writing. The ICO has provided some guidance on best practices when submitting a request. No fee is payable when you exercise this right, unless the request is unfounded or excessive, or multiple copies are requested.

Once a request has been submitted the company may need to ask for further information to verify your identity and they have up to one month to respond with the information requested. It may take longer to respond if the request is complex, in which case you should be informed of that fact.


Rectification:

What it is

Individuals have the right to rectify any inaccurate personal data, and where relevant, have incomplete data completed.

How it works

There is no prescribed way to make this request, which can be done verbally or in writing. The ICO recommends that the request is made in writing with an explanation of what you believe is inaccurate or incomplete, explain how the organization should correct it, and where available, provide evidence of the inaccuracies. You can also request restriction (see below) of the data whilst it is being rectified. The same timeline for receiving a response applies as for a DSAR.


Erasure:

What it is

This is also known as “the right to be forgotten”. Individuals can only exercise this right to have personal data deleted in the following circumstances:

  1. The original purpose for processing your data has been fulfilled and it is no longer necessary to continue processing to process your data.
  2. The company’s only lawful basis for the processing was your consent and you withdraw that consent.
  3. The company has no overriding legitimate interest to continue processing your data and you object to the processing.
  4. Your data is being processed for marketing purposes and you object to that. Your data has been processed unlawfully.
  5. The company has to erase the data to comply with a legal obligation. Processing that is for offering information society services to a child.

‍

How it works

If you have the right to request erasure, then the way to exercise it is the same as above and no fee is payable. The same timeline for receiving a response applies. Some real life examples of when you can exercise your right to be forgotten include:

  1. If you cancel a service that you will no longer use, then it is no longer necessary for the company to keep your personal details.
  2. Objecting to a company that tracks your online behavior when that is not the company’s main business.
  3. If a company sends you marketing emails without giving you the right to unsubscribe, then that is unlawful processing


Restriction:

What it is

Individuals have the right to restrict the processing of personal data, usually temporarily rather than indefinitely. Individuals can only exercise this right in the following circumstances:

  1. For the period of time a company spends verifying the accuracy of the personal data they have for you because of a challenge you made.
  2. For the period of time a company spends considering whether they have a legitimate interest ground to override your request to object to the processing of your personal data.
  3. Your data has been processed unlawfully (i.e. no lawful basis for processing) but you do not want your data to be deleted.
  4. You require the data to be held with the company, even if they don’t need it anymore, because you are involved in a legal claim.


How it works

This right is exercised in the same way as the other rights with no fee payable. The same timeline for receiving a response also applies.

The right is usually exercised in conjunction with the right to rectification or the right to object. It could also be an alternative to the right to erasure. You should be notified before any restriction is subsequently lifted.


Data Portability:

What it is

Individuals have the right to obtain a copy of personal data that has been previously provided to a service provider and to reuse it for other services. This includes the right to request that the personal data is transmitted directly to another service provider. This right only applies to data processed under the lawful bases of consent or performance of a contract, and the data has to have been processed by automated means.

Whilst personal data in this context includes observations of an individual’s activities, for example, website usage history, location data or raw data generated from wearables, it does not include data that has been extrapolated by the service provider, such as a user profile.

How it works

This right is exercised in the same way as the other rights with no fee payable. The same timeline for receiving a response also applies.

One of the key benefits of this right is to facilitate easier switching from one service provider to another.


Objection:

What it is

The right to object will stop or prevent the processing of personal data. Individuals can only exercise this right in the following circumstances:

  1. Individuals have an absolute right to stop all processing for the purpose of marketing.
  2. If the lawful basis of the processing is either legitimate interest, or for a “public task” carried out in the interest of the public or to exercise official authority.
  3. However, if the company can demonstrate compelling and overriding legitimate interest, or if the processing is related to legal action, then this trumps the individual’s right to object.

‍

How it works

This right is exercised in the same way as the other rights with one qualification. If the objection is made regarding personal data processed under legitimate interest or public task, the request needs to be accompanied with specific reasons for the objection.


Automate decision making and profiling:

What it is

Automated decision-making means making a decision solely by automated means without any human involvement. Profiling means automated processing of personal data to evaluate certain things about an individual (e.g. preferences, health, predicting behavior).

GDPR restricts companies from making solely automated decisions, including those based on profiling, that have a negative effect on individuals. The only scenarios when automated decision-making is allowed are when it is necessary for the performance of a contract, it is authorized by law, or they have an individual’s explicit consent.

How it works

If you believe that a company is using automated decision-making but shouldn’t be, you can submit a request that they don’t subject you to this. This right is exercised in the same way as the other rights with no fee payable. The same timeline for receiving a response also applies.

Some examples of automated decision-making include an automatic refusal of an online credit application or an online job application rejection without any human intervention.

Even if a company is allowed to automate decision-making, they should offer ways for you to express your view on the decision, get an explanation of the decision, request human intervention in the decision-making process, and challenge a decision.

Remember that there are many other ways that GDPR protects an individual’s privacy and personal data. You have the right to raise concerns with the company processing your personal data if your information:

  1. is not being kept securely or there’s been a data breach;
  2. has been disclosed;
  3. is being used for a different purpose than was meant for;
  4. is being kept longer than necessary; is being processed without a lawful basis.


LeadiQ respects your rights

LeadiQ offers a sales prospecting platform to increase sales productivity. We provide an efficient way to capture the contact information of new leads from public profiles, enrich existing leads on our customer’s CRM, and build accurate prospects lists. We maintain a database of verified contact information for over 100 million professionals that our customers use for their B2B outreach. If you want to find out more about how our platform complies with GDPR, please read our EU Privacy FAQ.

LeadiQ respects your right to privacy and we have procedures in place to make sure your rights are protected. If you think your professional profile is on our database, our Privacy Center provides you with the tools to control your data. If you have any privacy concerns, please do contact us at support@leadiq.com.


Disclaimer: The content in this article is not to be considered legal advice and should be used for information purposes only.