GDPR series - #5 - Individuals' Rights

In part 5 of 5, Ian Inman discusses new rights introduced by the General Data Protection Regulation (GDPR)

Published: 19th September 2017

Ian Inman recently joined Cox Automotive UK as Head of Privacy & Data Protection. In this series of blog posts he will give readers an overview of the General Data Protection Regulation (GDPR) and its implications.

The General Data Protection Regulation: Individuals’ Rights

In this final blog of my series on the GDPR, I decided to cover how it builds on and strengthens the rights of individuals regarding their personal data.

The rights we all know and love are still there: individuals will still have a right of access to their personal data, and the right to object to the processing of their personal data for direct marketing purposes, for example. Some of these rights have changed slightly from how we understand them today, but I focus here on some of the new rights that the GDPR introduces.

Article 17 - The Right to Erasure

Also known as the right to be forgotten, this is perhaps the most widely known of the new rights. Under the current data protection regime, there is a general requirement not to keep personal data longer than you need it. However, individuals have no right to get personal data deleted. Article 17 looks to change that but the right itself is not absolute.

Article 17 says that an individual shall have the right to obtain from organisations ‘the erasure of personal data concerning him or her without undue delay’. It then lists 6 specific circumstances where an ‘obligation to erase personal data’ arises. These are:

Together, these mean the right only arises in very specific circumstances and it may not arise at all. Article 17(3) sets out some specific purposes for processing where the right to erasure does not apply. These include, for example, where the processing is necessary for compliance with a legal obligation or where the processing is necessary for establishing, exercising or defending legal claims.

Article 17 seems simple – If any one of the circumstances set out in Article 17(1) applies and none of the circumstances set out in Article 17(3) apply, then an obligation to erase personal data arises. This could lead to problems, however: if you receive an objection to direct marketing you may want to retain a record of that person’s contact details on a suppression list so you don’t market to them again. Is this still possible if an obligation to erase occurs as soon as the objection is raised? It will be interesting to see how this right is applied in practice!

Article 18 - Right to restriction of processing

The right to restrict processing is designed to supplement other areas of data protection, and so it too only arises in certain circumstances. These are:

The key thing to note here is that where any of the above apply and processing is restricted, personal data cannot be processed (other than storage) without the consent of the individual. The GDPR gives some examples of mechanisms to secure the restriction of processing, such as moving the data to another system, making it unavailable to users or temporarily removing published data from a website.

It also makes clear that for data processed in automated filing systems like computer databases, this right should be achieved in such a way that:

Article 20 – Right to data portability

This right is designed to complement the right of access to personal data. It applies to:

In simple terms the right affords the individual the ability to receive the personal data in question ‘in a structured, commonly used and machine readable format’ as well to be able to send that personal data to another organisation and also, potentially, directly from one organisation to another.

The Article 29 Working Party have said that the reference to personal data provided to the organisation by the individual should not be read too narrowly. It could include information observed from the activity of users such as activity logs, history of website usage or search activity.

All of these rights raise key questions for businesses – Bearing in mind the obligations of privacy by design and default, are your IT systems capable of enabling you to comply with these rights? Do you know on what basis you process personal data? This can change how some rights apply or even if they apply at all.

That is all for this series of blogs, but we are looking at other ways of getting more information out there to help people understand the new law, particularly in the automotive sector.

Catch up on part 1part 2, part 3 and part 4 of this 5-part series.

Our Blog for the latest news, views and market intelligence.


Connected cars will be the more valuable asset in automotive by 2025.

Connected cars will be an essential asset - increasing levels of technology mean that they house more opportunities for data.

Read more
Data 8th March 2018

Cox Automotive run the 3rd in their series of free webinars offering practical advice on GDPR

Delivered by our Head of Privacy and Data Protection, Ian Inman, the 3rd in our series will cover Breach Notification.

Read more
News 1st March 2018

Cox Automotive are running a series of free webinars offering practical advice on GDPR

Watch the first in our series here, and sign up for the next focussing on consent.

Read more
News 15th February 2018

The future is closer than we think - the reality of autonomous cars

Gone are the days where watching self-driving cars in the movies was futuristic fantasy; these are now an imminent reality.

Read more
News 1st February 2018