Other (less common) GDPR rights
Please note this information is now out of date - please refer to the ICO for up-to-date GDPR information.
Right to Object
I expect that as a small business you won't see this right frequently exercised as this overlaps with the removal of consent, but I cover it here for completeness. In brief, the GDPR states that individuals have the right to object to direct marketing (including profiling) and should they object, you must:
- Stop processing personal data for direct marketing purposes as soon as you receive an objection. There are no exemptions or grounds to refuse.
- Deal with an objection to processing for direct marketing at any time and free of charge.
- Inform individuals of their right to object “at the point of first communication” and in your privacy notice.
This right also extends to processing for purposes of scientific/historical research and statistics.Further Information on the ICO Website
Right to Restrict Processing
I expect that as a small business you won't see this right frequently exercised as this overlaps with the removal of consent and erasure, but I cover it here for completeness.
Individuals have the right to request the restriction or suppression of their personal data - when processing is restricted you are permitted to store the personal data, but not use it.
This may be because they have issues with the content of the information you hold or how you have processed their data. In most cases, you will not be required to restrict an individual’s personal data indefinitely but will need to have the restriction in place for a certain period of time.Further Information on the ICO Website
Rights related to automated decision making, including profiling
I expect that as a small business you won't see this right frequently exercised. The GDPR has provisions on:
- automated individual decision-making (making a decision solely by automated means without any human involvement); and
- profiling (automated processing of personal data to evaluate certain things about an individual).
Profiling can be part of an automated decision-making process. You can only carry out this type of decision-making where the decision is:
- necessary for the entry into or performance of a contract; or
- authorised by Union or Member state law applicable to the controller; or
- based on the individual’s explicit consent.