Big data and artificial intelligence concept. Machine learning and cyber mind domination concept in form of women face outline outline with circuit board and binary data flow on blue background.

What are your rights?

The General Data Protection Regulation (GDPR) and the Data Protection Act 2018 increased the number of rights an individual has in relation to the gathering, processing and storage of personal data. These are:

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Rights in relation to automated processing and profiling

Please note the rights are not absolute and may not apply in all circumstances.

Right to be informed
This right is fulfilled by providing certain information in a ‘privacy notice’ to an individual either at the time their personal data is collected or, if it is provided by a third party, within one calendar month. View our general privacy notices.

Right of access
This right existed under the Data Protection Act 1998 and continues under GDPR. The right of access – known as a ‘Subject Access Request’ – is the right for an individual to obtain a copy of their personal data which is held by the University. An individual may also request information on:
  • the purpose of processing;
  • the categories of personal data concerned;
  • the recipients or categories of recipient the personal data is disclosed to; 
  • the retention period for storing the personal data (or the criteria for determining the retention period);
  • the existence of their other information rights;
  • the right to make a complaint to the Information Commissioner’s Office (ICO) or another supervising authority;
  • information about the source of the data;
  • the existence of any automated decision-making (including profiling);
  • the safeguards in relation to data transfers to a third country or international organisation.
The form below can also be used for making a request. This right can only be used for accessing your own information, it does not apply to someone else’s personal data.

Right to rectification
This right allows an individual to request that personal data held about them is rectified to make it accurate or complete if it is incomplete. General changes like a change of address or change of name can be communicated to the University in the normal way. This right might be invoked following a subject access request and can also be made on the form below. If the University receives a request, the accuracy of the data will be investigated and you will be informed about the decision.
Right to erasure
This right is also known as the ‘right to be forgotten’ but it is not an absolute right and only applies in certain circumstances. Further information is available in our policies.

Right to restrict processing
In certain circumstances, such as when an individual considers their data to be inaccurate or they object to the basis for processing, they can ask that any processing is restricted whilst the data is verified or the matter is formally considered.

Right to data portability
This right allows individuals to receive their personal data in a structured, commonly used and machine readable format and they can request the University transmits the data directly to another controller. This right is limited and only applies when the personal data is held for the performance of a contract or by consent and when the individual has provided that data to the controller. The right does not apply to paper files – the processing has to be by automated means.

Right to object
This right allows individuals to object to the processing of their personal data in certain circumstances. Where personal data is used for direct marketing, this is an absolute right. But in other cases, it depends on the purpose for processing and the lawful basis that the information is held under. Further information can be found on the ICO website

Things to consider

If you are making a subject access request, you should think about what personal data you want to access and where in the University this might be held. If you want something specific, you can indicate this on the form. If you want information held by a particular Department, School or Faculty, being clear and specific will help us deal with your request as quickly as possible.

If you are exercising one of the other information rights, you may want to think about how your request is going to be fulfilled. If you are seeking to rectify, erase or restrict your personal data or even object to something, knowing whether the information is held and where it is held would be beneficial. You can establish this by submitting a subject access request under the right of access. 

Making a right of access request is free and we usually respond with electronic access to the information in question. But, you may wish to receive this information as a hardcopy – you can indicate this on the form. Any additional copies may involve an administrative fee. We may also impose a reasonable fee or refuse it completely where a request is ‘manifestly unfounded or excessive’, particularly if it is repetitive.


Generally, the University has one calendar month in which to respond to an information request. However, this timescale might be extended if a request is particularly complex or onerous. The extension might be for up-to two further months. Therefore, it is advisable to keep any request confined to what you need to obtain a response as quickly as possible.


If you are unhappy with how the University has handled your request details on how to make a complaint are contained in the Data Protection policy.
This is separate from the Students Complaints Procedure.
Complaints can be submitted to or to:
Data Protection Officer 
University of Plymouth
Drake Circus
If you have done so, and you remain dissatisfied, you can make a complaint to the Information Commissioner’s Office. The ICO is the independent Supervisory Authority for all organisations operating under the Data Protection Act 2018.