Rights of Individuals under the General Data Protection Regulation

Data protection is a fundamental right set out in Article 8 of the EU Charter of Fundamental Rights, which states:

  1. Everyone has the right to the protection of personal data concerning him or her.
  2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.
  3. Compliance with these rules shall be subject to control by an independent authority.

This means that every individual is entitled to have their personal information protected, used in a fair and legal way, and made available to them when they ask for a copy. If an individual's personal information is incorrect, they are entitled to ask for that information to be corrected.

In order to process personal data, organisations must have a lawful reason. The lawful reasons for processing personal data are set out in Article 6 of the GDPR.

The six lawful reasons for processing personal data are:

  1. Consent.
  2. To carry out a contract.
  3. In order for an organisation to meet a legal obligation.
  4. Where processing the personal data is necessary to protect the vital interests of a person.
  5. Where processing the personal data is necessary for the performance of a task carried out in the public interest.
  6. In the legitimate interests of a company/organisation (except where those interests contradict or harm the interests or rights and freedoms of the individual)*.

Any one of the six reasons given above can, generally speaking, provide a legal reason for processing personal data.

*It is important to note that Article 6(1)(f) provides that the "legitimate interests" reason is not available to public authorities where the processing is being conducted in the exercise of their functions. 

The tabs at the side of this page will take you to more detailed information about:

  • Your individual rights under data protection.
  • How to exercise those rights for yourself.
  • How to raise a concern with the Data Protection Commission in cases where you feel your rights are not being respected.

Information on the different legal frameworks under which your data may be processed can be found here.

It is important to remember that most organisations take data protection very seriously, and the majority of issues are resolved without a concern being raised with the DPC. The information on the following pages is designed to help you to exercise your individual rights and secure a speedy and satisfactory solution, while also explaining how to lodge a complaint in cases where that has been unsuccessful.