Skip to content
Back to Security Center

Your Rights Under GDPR and Data Protection Laws

What Is GDPR?

The General Data Protection Regulation (GDPR) is a comprehensive data protection framework that was adopted across the European Union and retained in UK law after Brexit as the UK GDPR, working alongside the Data Protection Act 2018. Together, these laws give individuals significant control over their personal data and impose strict obligations on organisations that collect, process, or store it.

Personal data includes any information that can identify you directly or indirectly: your name, email address, phone number, IP address, location data, online identifiers, and even your opinions and preferences. If an organisation holds any of this information about you, UK GDPR applies to how they handle it.

Your Right to Access (Subject Access Request)

You have the right to ask any organisation whether they hold personal data about you and, if so, to receive a copy of that data. This is known as a Subject Access Request (SAR). The organisation must respond within one calendar month of receiving your request.

When you submit a SAR, the organisation must provide:

  • Confirmation that they are processing your personal data.
  • A copy of the personal data they hold about you.
  • Information about the purposes of the processing.
  • The categories of data being processed.
  • Who the data has been or will be shared with.
  • How long they intend to retain the data.
  • Information about the source of the data if it was not collected directly from you.

You do not need to give a reason for making a SAR, and the request should be free of charge in most circumstances. The Information Commissioner's Office (ICO) provides template letters to assist you in making a request.

Your Right to Deletion (Right to Erasure)

Often referred to as the "right to be forgotten", this right allows you to request that an organisation delete your personal data. Organisations must comply when:

  • The data is no longer necessary for the purpose it was originally collected.
  • You withdraw your consent and there is no other legal basis for processing.
  • The data has been processed unlawfully.
  • Deletion is required to comply with a legal obligation.

There are exceptions. Organisations can refuse deletion requests if they need to retain the data for legal compliance, public interest, legal claims, or freedom of expression purposes. However, they must explain their reasoning if they refuse your request.

Your Right to Data Portability

Data portability gives you the right to receive the personal data you have provided to an organisation in a structured, commonly used, and machine-readable format. You can also request that the organisation transmit this data directly to another organisation, where technically feasible.

This right applies when the processing is based on your consent or a contract, and is carried out by automated means. In practice, this means you can download your data from one service and upload it to a competitor, making it easier to switch providers without losing your information.

Your Right to Rectification

If an organisation holds inaccurate personal data about you, you have the right to request correction. This applies to factual inaccuracies as well as incomplete data. The organisation must respond within one month and must also inform any third parties with whom the data was shared about the correction.

Your Right to Restrict Processing

In certain circumstances, you can request that an organisation limits how they use your data rather than deleting it entirely. This might apply when you contest the accuracy of the data (while verification takes place), when the processing is unlawful but you prefer restriction over deletion, or when the organisation no longer needs the data but you need it retained for legal claims.

Your Right to Object

You can object to the processing of your personal data in specific situations, including direct marketing (where the organisation must stop immediately upon your objection), processing based on legitimate interests or public interest, and processing for research or statistical purposes. When you object to direct marketing, the organisation has no grounds to refuse and must cease processing immediately.

How to Make a Request

You can exercise any of these rights by contacting the organisation directly. Most organisations have a Data Protection Officer (DPO) or a dedicated privacy team. Your request can be made verbally or in writing, though a written request (email is sufficient) provides a clear record. Include:

  • Your full name and enough information for the organisation to identify you in their systems.
  • A clear description of what you are requesting (access, deletion, rectification, etc.).
  • Any specific data or timeframe you are interested in, if applicable.

Response Timeframes

Organisations must respond to your request within one calendar month. In complex cases or where multiple requests are made, they may extend this by a further two months, but they must inform you of the extension within the initial month and explain why it is necessary. If an organisation fails to respond or refuses your request without adequate justification, you can lodge a complaint with the ICO.

How KF.Social Supports Your Rights

KF.Social is committed to transparency and compliance with UK data protection laws. You can access your data, request corrections, or submit a deletion request through your account settings or by contacting our data protection team directly. We process all requests in accordance with the legal timeframes and provide clear explanations for any actions we take.

Our privacy policy details exactly what data we collect, why we collect it, how long we retain it, and who it is shared with. We encourage all users to review this policy and to exercise their rights if they have any questions or concerns about how their data is handled.

For comprehensive guidance on your data protection rights and how to enforce them, visit the ICO's website, which provides clear, accessible information for individuals.

How Data Brokers Collect and Sell Your Information

Data brokers are companies that collect, compile, and sell personal information about individuals, often without their knowledge or meaningful consent.

Read article

What to Do After a Data Breach

If your personal data has been exposed in a breach, taking swift action can significantly limit the damage. Follow these steps to protect yourself immediately.

Read article

Understanding App Permissions

Every time an app requests permission to access your camera, microphone, location, or contacts, it is asking for a level of trust. Understanding what each permission allows is essential.

Read article
Back to Security Center