What data protection rights do people have?
-
Due to the Data (Use and Access) Act coming into law on 19 June 2025, this guidance is under review and may be subject to change. The Plans for new and updated guidance page will tell you about which guidance will be updated and when this will happen.
In detail
- Why is this important?
- What must we provide in response to a subject access request (SAR)?
- What do we do if we receive a rectification request?
- What do we need to do if someone objects to our processing?
Why is this important?
People have a range of rights under data protection legislation. You must ensure that they are able to exercise their data protection rights. This also helps you comply with other data protection requirements, such as the principles.
You should consider how to help people exercise their rights directly through your service.
The lawful basis you use for your processing can affect which rights are available to people.
The following sections consider the data protection rights that are likely to be most relevant to the processing you undertake in your profiling tools.
These include the right of access, the right to rectification and the right to object.
What must we provide in response to a subject access request (SAR)?
People have the right to access their personal information that you use and generate in your profiling tools. Users have this right irrespective of which lawful basis you rely on. This means you must provide users with their personal information that you use in your profiling tools, if the user makes a SAR, unless an exemption applies.
Depending on the nature of the SAR, you may need to provide users with:
- confirmation that you are using their personal information in your tools;
- copies of the personal information you are using;
- copies of the personal information you have generated (ie the outputs of your tools); and
- copies of the information about moderation decisions you’ve taken as a result of your profiling tools.
People are only entitled to their personal information. This means that you do not need to provide additional information that is not personal information (eg confidential, commercial information).
Where possible, you should provide a secure system for users to access the personal information you hold about them.
Personal information can relate to more than one person. Therefore, responding to a SAR may involve providing information that relates to both the requester and another person. This might be the case if your profiling tools rely on information about users’ friends or connections on the service.
You should consider whether it is possible to comply with the request without disclosing information which relates to another person. Where this is not possible, you must consider whether it is:
- appropriate to get that person’s consent to the disclosure; or
- reasonable to disclose without consent, taking into account all relevant circumstances.
See our guidance on right of access for further information.
Example
A user makes a SAR to a social media company. They request copies of their personal information that the service is using in its bot detection tool. The user also requests copies of the outcomes the tool has produced about them, and information it holds about any moderation actions taken on the user that have been informed or initiated by the tool’s outputs.
The service considers the request. The information requested does not contain any personal information of other service users, and no exemptions apply to the request. Therefore, the service responds in full.
The service also provides an online portal where users can view and download the personal information the service holds about them. The portal contains a section detailing the personal information about the user that the service uses in its trust and safety tools. This includes both information the user has provided, as well as the personal information the service has inferred from the user’s activities on the service. The portal also includes a log of moderation decisions and actions that have been taken on the user, with explanations for these decisions.
The portal helps the service to uphold the user’s right to access. It also helps the service to meet its transparency obligations under data protection law.
Further reading
Right of access including the section on What should we do if the request involves information about other individuals?
What do we do if we receive a rectification request?
People have the right to have inaccurate personal information rectified. Like the right of access, users have the right to rectification irrespective of which lawful basis you rely on.
If you receive a request from a user, you must take reasonable steps to satisfy yourself that the information is accurate and rectify it, if necessary. You should take into account the arguments and evidence provided by the person the information is about.
Even if you’ve already taken steps to ensure the personal information used and generated by your tools was accurate, you must reconsider its accuracy, if someone makes a request.
For example, your profiling tool might determine that a user’s behaviour is in breach of your terms of service. Even if you took steps to ensure your systems were functioning as intended, you must reconsider the accuracy of your tool’s output if requested, and rectify the information if necessary.
The right to rectification is closely linked to the accuracy principle of the UK GDPR. (See section on How do we ensure the accuracy of personal information in our profiling tools? for more information.)
Some of the information you use in your profiling tools might be information that users have provided themselves (eg the location or date of birth the user inputs on registration with your service). You could provide a way for users to change and update their own information which may not be accurate (eg through a dedicated area of your website or app).
Further reading
What do we need to do if someone objects to our processing?
People can object to your use of their personal information in your profiling tools. However, this only applies when your lawful basis for processing is legitimate interests or public task. (See section on How do we use profiling tools lawfully? for more information about lawful bases.)
So, if you use legal obligation or consent, the right to object doesn’t apply for the processing you carry out in your trust and safety profiling tools.
The right is also not absolute. You do not have to comply with the request if:
- you can demonstrate compelling legitimate grounds for the processing that override the user’s interests, rights and freedoms; or
- the processing is for the establishment, exercise, or defence of legal claims.
The latter case is unlikely to be relevant to your use of profiling tools in trust and safety systems.
When considering whether to comply with a user’s objection, you must balance your interests with the user’s interests, rights and freedoms. You should take into account why they have objected, as this may influence your considerations. For example, if the processing causes the user damage or distress, it is more likely that their interests will override yours.
Further reading