Ymwadiad: Nid cyngor cyfreithiol yw hwn. Mae deddfwriaeth a chyfraith achosion yn newid. Ymgynghorwch bob amser â chyfreithiwr cymwys ar gyfer eich sefyllfa benodol.

UK Law Reference
All Rights Guides
Data Protection

Eich Hawliau Preifatrwydd Data

The UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 give you significant control over how organisations collect, use, and store your personal data. These rights apply to any organisation that holds your personal information, from your employer to social media companies, retailers, and government bodies.

Last updated: 2025-03-01

Your Rights

Right of Access (Subject Access Request)

You can ask any organisation to confirm whether they hold personal data about you and, if so, to provide a copy of that data. They must respond within one calendar month and cannot charge a fee in most cases.

UK GDPR, Article 15

Right to Rectification

If an organisation holds inaccurate or incomplete personal data about you, you have the right to have it corrected or completed. They must respond within one month.

UK GDPR, Article 16

Right to Erasure ('Right to Be Forgotten')

In certain circumstances, you can ask an organisation to delete your personal data. This applies when the data is no longer needed for its original purpose, you withdraw consent, or the data was processed unlawfully. However, this right is not absolute — it doesn't apply where the data is needed for legal claims, legal obligations, or public interest tasks.

UK GDPR, Article 17

Right to Object to Marketing

You have an absolute right to stop your personal data being used for direct marketing. Once you object, the organisation must stop processing your data for marketing purposes immediately. There are no exceptions.

UK GDPR, Article 21(2); Privacy and Electronic Communications Regulations 2003

Right to Data Portability

You can request your personal data in a commonly used, machine-readable format so you can transfer it to another service. This applies to data you provided directly and data processed by automated means based on consent or contract.

UK GDPR, Article 20

Right Not to Be Subject to Automated Decisions

You have the right not to be subject to decisions based solely on automated processing (including profiling) that have legal or similarly significant effects on you. You can request human intervention, express your point of view, and contest the decision.

UK GDPR, Article 22

Right to Be Informed

Organisations must tell you how they use your personal data. This is typically done through a privacy notice, which must explain what data is collected, why, how long it's kept, who it's shared with, and your rights.

UK GDPR, Articles 13–14

Common Myths

Myth

You can demand any company deletes all your data.

Reality

The right to erasure is not absolute. Companies can refuse if they have a legal obligation to keep the data, need it for legal claims, or are processing it in the public interest.

Myth

Companies can ignore your subject access request.

Reality

Organisations are legally required to respond within one month. If they don't, you can complain to the ICO, which can take enforcement action.

Myth

GDPR only applies to big tech companies.

Reality

UK GDPR applies to any organisation — large or small, public or private — that processes personal data of individuals in the UK.

Myth

Consent is always needed to process your data.

Reality

Consent is only one of six lawful bases for processing. Others include contract, legal obligation, vital interests, public task, and legitimate interests.

What To Do

1

Make a Subject Access Request

Write to the organisation's Data Protection Officer (or general contact) requesting a copy of all personal data they hold about you. They must respond within one month.

2

Opt Out of Marketing

Contact the organisation and state clearly that you want to opt out of direct marketing. They must comply immediately. You can also register with the Telephone Preference Service (TPS) for calls.

3

Request Correction or Deletion

If data is wrong or you want it deleted, write to the organisation explaining what you want corrected or removed and why.

4

Complain to the ICO

If an organisation fails to respond, refuses without valid reason, or you believe your data has been misused, complain to the Information Commissioner's Office. This is free.

5

Consider Legal Action

In serious cases (e.g. data breach causing financial loss or distress), you may be entitled to compensation. You can pursue this through the courts or via the ICO.

Key Legislation

  • UK General Data Protection Regulation (UK GDPR)
  • Data Protection Act 2018
  • Privacy and Electronic Communications Regulations 2003 (PECR)
  • Freedom of Information Act 2000 (for public bodies)

Useful Contacts

Information Commissioner's Office (ICO)

The UK's data protection authority. Handles complaints and enforces data protection law.

Tel: 0303 123 1113

Website

Citizens Advice

Free advice on data protection and privacy rights.

Website

Telephone Preference Service

Register to opt out of unsolicited marketing calls.

Website