Individual Rights under GDPR

Individual Rights under GDPR

Back in the key terms article we outlined the individual rights under GDPR:

The relationship between Data Controllers and Data Processors
GDPR Video Series – Opt In Forms and Privacy Policy
GDPR Video Series – What is Consent?

Back in the key terms article we outlined the individual rights under GDPR:

  1. The right to be informed
  2. The right of access
  3. The right to rectification
  4. The right to erasure
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object
  8. Rights in relation to automated decision making and profiling.

We’ll look at each of these in turn and highlight the areas where they are likely to affect you as an estate agent. This isn’t exhaustive and you should have a read of the rights yourself to ensure you are familiar with them and understand how they apply to you.


data right to be informed

  1. The right to be informed

You must provide individuals with a clear description of how you will use their data. It needs to be:

  • concise, transparent, intelligible and easily accessible;
  • written in clear and plain language, particularly if addressed to a child; and
  • free of charge.

This is typically provided in a privacy notice.  Our article on privacy notices goes into a bit more detail (LINK)  Now is the time to review your current privacy notices.

Further information : Here


data access

  1. The right of access

 Under GDPR, individuals can request a copy of the data held on them. A few important points to note:

  • You cannot charge for this service (unless the request is manifestly unfounded or excessive, particularly if it is repetitive)
  • You have one month from receipt of the request to comply with it

See our article on Subject Access Requests  for more information on how you can obtain data from your software. Remember that you may hold data outside of your software (e.g. on paper) so its important that when performing a subject access request you ensure you gather all relevant data from all sources. Your internal documentation will help you.


month of data

  1. The right to rectification

If the data held on an individual is incorrect or incomplete, then they have the right to have that data amended. Not only is it part of the GDPR, its common business sense.  You have a month to do this

Importantly – if that data has been disclosed to others then you must contact those recipients to inform them of the rectification.


right to erase

  1. The right to erasure

An individual has the right to have their data erased (known as the ‘right to be forgotten’), typically where the personal data is no longer necessary for or when the individual withdraws consent.

There are circumstances where you refuse to erase data – most likely where you need to comply with legal obligations or for the defense of legal claims.


data processing

  1. The right to restrict processing

 Individuals have the right to block processing of personal data. IN this instance you are permitted to store the data but not process it. Processing should be restricted where:

  • The accuracy of the data is contested – you should restrict processing until accuracy is of the data is verified
  • Where you are processing data where it is necessary for legitimate interests and the individual has objected to processing, you should restrict processing while you determine whether your organisation’s legitimate interests override those of the individual
  • Where you no longer need the data however the individual requires the data in respect of a legal claim.


data portable

  1. The right to data portability

Individuals have right to have their data in a machine usable format to take to another provider. It only applies to:

  • personal data an individual has provided to a controller;
  • where the processing is based on the individual’s consent or for the performance of a contract; and
  • when processing is carried out by automated means.


right to object

  1. The right to object

You must stop processing data upon request if your process data for the purposes of marketing legitimate interests or statistics/research if requested. The only exception to this is if you are processing data for legitimate interests and you can demonstrate legitimate grounds for processing that override the rights, interest and freedoms of the individual, or if the processing is for the establishment, exercise or defence of legal claims.

You must inform individuals of their right to object on first communication and in your privacy notice – it must be explicitly brought to the attention of the data subject and needs to be presented clearly and separately from any other information.


gdpr estate agents

  1. Rights in relation to automated decision making and profiling

It’s unlikely you will have to deal with this – it covers situations such as a loan application where credit search and the decision to grant a loan is made entirely without human intervention. The number of organisations for which this is likely to apply is small.

Disclaimer: This article is based upon our understanding of the General Data Protection Regulation (GDPR).  There are still some aspects of the GDPR which are undetermined or are awaiting guidance from the ICO.  This should not be relied upon as legal advice nor how GDPR may apply to your organisation.  We encourage you to work with a legally qualified professional to understand GDPR, how it applies specifically to your organisation, and how best to ensure compliance.