We use cookies to ensure that we give you the best experience on our website. You can change your cookie settings at any time. Otherwise, we'll assume you're OK to continue.

Durham University

Information Governance

Individual Rights

Individual Rights Regarding Personal Data

Data subjects have a range of specific rights that they can exercise under GDPR. The University needs to ensure we are able to comply with these rights to meet the GDPR requirements. We must ensure we respond without undue delay and within one calendar month, although this can be extended by a further two months in certain circumstances.

Individual rights are provided for under GDPR as follows:

The right to be informed

Individuals have the right to be made aware of how their personal data is being used. This should be documented and communicated in a Privacy Notice available at the point of data collection.
The right of access Individuals have the right to access their personal data so that they are aware of and can verify the lawfulness of the data processing, as well as correcting any inaccuracies in that data. There are some circumstances under which the University will consider a request for access to personal data on behalf of another individual, or a request for access to personal data of another individual without their consent. For more information please refer to the Subject Access Request page.
The right to rectification Individuals have the right to have personal data rectified where it is inaccurate or incomplete.
The right to erasure Individuals have the right to request the deletion or removal of personal data where there is no compelling reason for its continued processing. This is often called the 'right to be forgotten'. This right is not absolute and only applies in specific circumstances.
The right to restrict processing Individuals have the right to ask us to temporarily stop processing their personal data in certain circumstances whilst such processing is reviewed.
The right to data portability

Individuals have the right to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability. Note that this only applies:

  • To personal data an individual has provided to a controller,
  • Where the processing is based on the individual’s consent or for the performance of a contract, and
  • When processing is carried out by automated means.
The right to object

Individuals have the right to object to:

  • Processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling)
  • Direct marketing (including profiling)
  • Processing for purposes of scientific/historical research and statistics.
>Rights in relation to automated decision making and profiling Individuals have the right not to be subject to a decision made solely by automated means and to profiling (automated processing of personal data to evaluate certain things about an individual).

When designing, developing, managing or operating University systems or processes where personal data are processed, these individual rights need to be considered and included for. Exercising of individual's rights should be explained within the Privacy Notice. Direct communications may be used to provide additional details and opportunities, e.g. unsubscribe features within emails support the right to object.