Here are some of the key rights granted to individuals under the GDPR, which correspond to different types of request, the most being the Subject Access Requests (SARs):
1. **Right of Access (Article 15)**: Individuals have the right to obtain confirmation from the data controller as to whether or not personal data concerning them is being processed, and if so, access to that personal data and certain related information.
2. **Right to Rectification (Article 16)**: Individuals have the right to obtain from the data controller without undue delay the rectification of inaccurate personal data concerning them.
3. **Right to Erasure (Right to be Forgotten) (Article 17)**: Individuals have the right to obtain from the data controller the erasure of personal data concerning them without undue delay, under certain conditions.
4. **Right to Restriction of Processing (Article 18)**: Individuals have the right to obtain from the data controller restriction of processing where certain conditions apply.
5. **Right to Data Portability (Article 20)**: Individuals have the right to receive the personal data concerning them, which they have provided to a controller, in a structured, commonly used, and machine-readable format and have the right to transmit that data to another controller without hindrance from the original controller.
6. **Right to Object (Article 21)**: Individuals have the right to object, on grounds relating to their particular situation, at any time to processing of personal data concerning them.
7. **Rights in Relation to Automated Decision Making and Profiling (Article 22)**: Individuals have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.
These rights empower individuals to have more control over their personal data and provide mechanisms for ensuring that data processing is fair, transparent, and accountable. When individuals exercise these rights, they often do so through SARs directed at the data controller.
