- Right to be informed: Individuals have the right to be informed if their personal data is processed, in which way, and by whom (in case of a sub-processor).
- Right to access: Individuals have the right to access their processed data. This right can be exercised verbally or written and the controller must respond within one month without charging for it.
- Right to rectification: Individuals have the right to correct any inaccurate personal data or complete missing data.
- Right to erasure: Individuals have the right to have their personal data removed. This is only possible if the controller doesn't have basis for processing the data (anymore).
- Right to restrict processing: Individuals have the right to restrict or suspend the processing of personal data when an organization is under investigation or when it has processed the data without any legal basis.
- Right to data portability: Individuals have the right to receive their processed data or request an organization to transfer its data to a different organization.
- Right to object: Individuals have the right to object to the processing of their personal data and can stop their data to be used in direct marketing activities. Organizations are required to inform users about their right to object and must comply to a request within one month.
- Rights against automated decision-making / profiling: Individuals have the right not to be subjected to any type of automated decision-making or profiling system which produces legal effects or similar results which can affect the individual.
Keep in mind, you don't have to create fully-automated tools to handle each of these rights. You just need to process the request in the given time periods which can be done manually or automated. It's up to you and your business.
upcoming topic: the privacy register and data processing agreements.