Latest News

Regulations on local lockdown published

03 July 2020

The UK Government has published Regulations for Leicester which clarify that agents do not need to cease viewings or close branches in areas of local lockdown. Read More...

Fair Rents (Scotland) Bill no longer proceeding

03 July 2020

The Fair Rents (Scotland) Bill that was introduced to the Scottish Parliament on 1 June 2020, with the aim of controlling rent levels for Private Residential Tenancies has not been advanced to Stage 1 consideration. Read More...

Guidance launched to tackle COVID-19 rent arrears

03 July 2020

ARLA Propertymark has joined forces with other leading organisations from across the housing sector to support tenants and landlords facing rent arrears as a result of the COVID-19 outbreak. Read More...

GDPR and consumer rights

Friday 25 May 2018

With General Data Protection Regulation (GDPR) now in force, it is important to understand the effect consumer rights could have on the way you process and hold information.

The GDPR provides eight fundamental rights for individuals, and we have set out how and when you must comply with them:

1. Right to be informed

What's new? Well, the GDPR is now more specific about the information you need to provide to individuals about the collection and use of their data, including your purposes for processing their data, your retention periods for that data, and who it will be shared with. These can typically be provided through a privacy notice.

This must actively be provided to individuals in a way that is easy to access, read and understand. If you obtain personal data from other sources, you must provide individuals with privacy information within a reasonable period of obtaining the data and no later than one month.

2. Right of access

The right of access gives individual's the right to obtain a copy of their personal data as well as other supplementary information. In addition to their personal data, you must also be prepared to provide:

  • the purpose of your processing;
  • who you disclose the data to;
  • your data storage retention period;
  • acknowledgement of an individuals right to request rectification, erasure or restriction or to object to such processing;
  • the right to lodge a complaint with a supervisory authority;
  • information about the source of the data, where it was not obtained directly from the individual;
  • the existence of automated decision-making (including profiling);
  • and the safeguards you provide if you transfer personal data to a third country or international organisation.

If an individual requests a copy of the data you hold for them, you should provide concise and transparent information in an accessible, electronic format, unless requested otherwise.

You must act on the subject access request within one month of receipt. You can extend the response time by a further two months where the application for access is complex or you have received a number of requests from the individual, however you must notify the individual within one month of receiving their request and explain why the extension is necessary.

In most cases you cannot charge for this, however, where the request is manifestly unfounded or excessive you may charge a “reasonable fee” for the administrative costs of complying with the request. You can also charge a reasonable fee if an individual requests additional copies of their data, which must be based on the administrative costs of providing further copies.

It is important to be aware that requests can come in any form (including via social media) and to any employee in your company, so it is key that your staff know how to recognise and respond to a request.

3. Right to rectification

The GDPR includes a right for individuals to have inaccurate personal data rectified, or completed if it is incomplete. This means that if you receive a request for rectification, you should take every reasonable step to ensure that the data is accurate and if necessary, rectify it, within one month of receipt.

If you consider an application to be manifestly unfounded or excessive, you can charge a "reasonable fee" to deal with the request; or you can refuse to deal with the request. In either case you will need to justify your decision. Any reasonable fee should be based on the administrative costs of complying with the request. You must notify the individual of the cost within one month of receiving the request and you are not required to comply with the request until you have received said fee.

4. Right to erasure

The right to erasure - also known as ‘the right to be forgotten’ - means individuals have the right to have their data erased, and you must have procedures in place for deleting personal data easily and securely where there is no compelling reason for possession and continued processing. Instances of this include:

  • where the personal data is no longer necessary in relation to the purpose for which it was originally collected;
  • when the individual withdraws consent;
  • when the individual objects to the processing and there is no overriding legitimate interest for continuing the processing;
  • the data was unlawfully processed; or
  • if it is in compliance with a legal obligation.

If you refuse to comply with a request to remove an individual's personal details, you must be able to justify your decision.

If you have doubts about the identity of the person making the request you can ask for more information. However, it is important that you only request information that is necessary to confirm who they are. The key to this is proportionality and you should take into account what data you hold, the nature of the data, and what you are using it for.

5. Right to restrict processing

Individuals have the right to request the restriction or suppression of their personal data, in order to limit the way that an organisation uses their information. This may be because they have issues with the content of the information you hold or how you have processed their data. In most cases you will not be required to restrict an individual’s personal data indefinitely, but will need to have the restriction in place for a certain period of time.

You will however need to have processes in place that enable you to restrict personal data if required. As the definition of 'processing' includes a broad range of operations including collection, structuring, dissemination and erasure of data, you should use methods of restriction that are appropriate for the type of processing you are carrying out. This could be by temporarily moving the data to another processing system; making the data unavailable to users; or temporarily removing published data from a website.

6. Right to data portability

The GDPR includes the right to data portability, which allows individuals to obtain and reuse their personal data across different services for their own purposes. This means that they are entitled to have information they have provided to a controller moved, copied or transferred from one controller to another, in a safe and secure way, without affecting usability. 

It is important to remember that data ‘provided to a controller’ isn't exclusive to identifiable information (such as their contact details, username, age, etc), it also refers to personal data resulting from observation of an individual’s activities. This may include history of website usage or search activities, traffic and location data or ‘raw’ data processed by connected objects such as smart meters and wearable devices.

And whilst you can again, charge for or refuse to comply with a request for data portability if it is manifestly unfounded or excessive, taking into account whether the request is repetitive in nature, you will need to justify your decision.

If you receive personal data that has been transmitted as part of a data portability request, you need to process this data in line with data protection requirements.

7. Right to object

The right to object allows individuals the absolute right to stop their data from being used for direct marketing purposes. They can also object to the processing of their data based on your legitimate interest, for the purpose of a task carried out in the public interest, or for the intention of scientific or historical research. If you receive an objection request, you must cease processing of the individuals personal data immediately and free of charge.

If you refuse to comply with an objection you must inform the individual, within one month of receipt of the request, the reasons you are not taking action; their right to make a complaint to the Information Commissioners Office (ICO) or another supervisory authority; and their ability to seek to enforce this right through a judicial remedy.

8. Rights in relation to automated decision making and profiling

The regulation brings about rights for consumers which restricts automated individual decision-making void of any human involvement, and profiling activity used by organisations for direct marketing purposes. This means that if any of your automated processes determine an outcome based on pre-programmed algorithms or a set criteria, or evaluated data concerning certain personal aspects of an individual (such as their personal preferences, location or economic situation) is used as part of a decision making process, individuals have the right to human intervention, express their point of view, and obtain an explanation of the decision and challenge it.

Companies must inform customers of their right to object at the point of first communication and in their privacy notice, and must stop processing personal data as soon as they receive an objection.

Because this particular type of processing is considered to be high-risk, the GDPR recommends you carry out a Data Protection Impact Assessment (DPIA) to show that you have identified and assessed what those risks are and how you will address them.


As the UK's supervisory authority for GDPR, the Information Commissioner's Office (ICO) is the foremost independent body on information rights. For further guidance, take a look at their comprehensive advice which explain the provisions of the incoming legislation, in order to help your organisation comply with its requirements.