ਡੇਟਾ ਗੋਪਨੀਯਤਾ ਅਧਿਕਾਰ
The UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 give you significant control over how organisations collect, use, and store your personal data. These rights apply to any organisation that holds your personal information, from your employer to social media companies, retailers, and government bodies.
Last updated: 2025-03-01
Your Rights
Right of Access (Subject Access Request)
You can ask any organisation to confirm whether they hold personal data about you and, if so, to provide a copy of that data. They must respond within one calendar month and cannot charge a fee in most cases.
Right to Rectification
If an organisation holds inaccurate or incomplete personal data about you, you have the right to have it corrected or completed. They must respond within one month.
Right to Erasure ('Right to Be Forgotten')
In certain circumstances, you can ask an organisation to delete your personal data. This applies when the data is no longer needed for its original purpose, you withdraw consent, or the data was processed unlawfully. However, this right is not absolute — it doesn't apply where the data is needed for legal claims, legal obligations, or public interest tasks.
Right to Object to Marketing
You have an absolute right to stop your personal data being used for direct marketing. Once you object, the organisation must stop processing your data for marketing purposes immediately. There are no exceptions.
Right to Data Portability
You can request your personal data in a commonly used, machine-readable format so you can transfer it to another service. This applies to data you provided directly and data processed by automated means based on consent or contract.
Right Not to Be Subject to Automated Decisions
You have the right not to be subject to decisions based solely on automated processing (including profiling) that have legal or similarly significant effects on you. You can request human intervention, express your point of view, and contest the decision.
Right to Be Informed
Organisations must tell you how they use your personal data. This is typically done through a privacy notice, which must explain what data is collected, why, how long it's kept, who it's shared with, and your rights.
Common Myths
You can demand any company deletes all your data.
The right to erasure is not absolute. Companies can refuse if they have a legal obligation to keep the data, need it for legal claims, or are processing it in the public interest.
Companies can ignore your subject access request.
Organisations are legally required to respond within one month. If they don't, you can complain to the ICO, which can take enforcement action.
GDPR only applies to big tech companies.
UK GDPR applies to any organisation — large or small, public or private — that processes personal data of individuals in the UK.
Consent is always needed to process your data.
Consent is only one of six lawful bases for processing. Others include contract, legal obligation, vital interests, public task, and legitimate interests.
What To Do
Make a Subject Access Request
Write to the organisation's Data Protection Officer (or general contact) requesting a copy of all personal data they hold about you. They must respond within one month.
Opt Out of Marketing
Contact the organisation and state clearly that you want to opt out of direct marketing. They must comply immediately. You can also register with the Telephone Preference Service (TPS) for calls.
Request Correction or Deletion
If data is wrong or you want it deleted, write to the organisation explaining what you want corrected or removed and why.
Complain to the ICO
If an organisation fails to respond, refuses without valid reason, or you believe your data has been misused, complain to the Information Commissioner's Office. This is free.
Consider Legal Action
In serious cases (e.g. data breach causing financial loss or distress), you may be entitled to compensation. You can pursue this through the courts or via the ICO.
Key Legislation
- UK General Data Protection Regulation (UK GDPR)
- Data Protection Act 2018
- Privacy and Electronic Communications Regulations 2003 (PECR)
- Freedom of Information Act 2000 (for public bodies)
Useful Contacts
Information Commissioner's Office (ICO)
The UK's data protection authority. Handles complaints and enforces data protection law.
Tel: 0303 123 1113
Website