Data protection – not an absolute right

08th November 2019

Data protection is a fundamental right set out in Article 8 of the EU Charter of Fundamental Rights, which states:

  • Everyone has the right to the protection of personal data concerning him or her.
  • Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned, or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.
  • Compliance with these rules shall be subject to control by an independent authority.

This means that every individual is entitled to have their personal data protected, used only in a fair and lawful way, and made available to them when they ask for a copy. If an individual feels that their personal data is wrong, they are entitled to ask for that information to be corrected.

Under the General Data Protection Regulation (GDPR) individuals have:

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure (‘the right to be forgotten’)
  • The right of restriction of processing
  • The right to data portability
  • The right to object to processing of personal data
  • Rights in relation to automated decision making, including profiling

More information on the rights of individuals under the GDPR can be found here.


However it’s important to highlight that data protection is not an absolute right - it must always be balanced against other fundamental rights and there may be circumstances under which an organisation could have grounds to refuse to grant an individual’s request to exercise their data protection rights. There are  also certain limitations contained within the data protection rights as set out in the GDPR; for example:

  • Your right to obtain a copy of your personal information under the rights of access or portability should not adversely affect the rights and freedoms of others.
  • Certain data protection rights only apply in certain circumstances. For instance, the right to erasure, more commonly known as ‘the right to be forgotten’, only applies under certain conditions, such as where the personal data is no longer required for the purpose it was originally collected.
  • In certain very limited cases the GDPR allows organisations to charge a reasonable fee for responding to a request, or even to refuse to act on a request, if the request is ‘manifestly unfounded or excessive’.

Article 23 GDPR allows for further restrictions on data protection rights in national law, but these restrictions must adhere to an exhaustive list of requirements, respect the essence of the fundamental rights and freedoms of individuals, and be necessary and proportionate to safeguard certain objectives of societal or general public interest.

Some of the restrictions contained in the Data Protection Act 2018 relate to:

  • the processing carried out for electoral purposes or by the Referendum Commission,
  • the safeguarding of cabinet confidentiality,
  • the administration of tax and duties,
  • the exercise or defence of legal claims, and
  • personal data relating to an opinion given in confidence.

Read: Limiting Data Subject Rights and the Application of Article 23 of the GDPR