Individual rights

One of the main purposes of GDPR is to give individuals greater protection and a set of rights governing their personal data.

There are some very specific requirements under the terms of the regulation, all of which mean that the party processing or storing personal data has a responsibility to keep this data private.

GDPR gives individuals the right to be made aware when their personal data is being collected (at the point of capture), and how it will be used. In the case of video surveillance, for example, these will mean appropriate signage in and around the area where video surveillance is being used.

Articles 12 to 23 of the GDPR cover the rights of the Data Subject.

Section 1: Transparency and modalities
- Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject
Section 2: Information and access to personal data
- Article 13: Information to be provided where personal data are collected from the data subject
- Article 14: Information to be provided where personal data have not been obtained from the data subject
- Article 15: Right to access from the data subject (see Right to access)
Section 3: Rectification and erasure
- Article 16: Right to rectification
- Article 17: Right to be forgotten (Right to erasure) (see Right to be forgotten (Right to erasure))
- Article 18: Right to restriction of processing (see Right to restriction of processing)
- Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing
- Article 20: Right to data portability
Section 4: Right to object and automated individual decision-making
- Article 21: Right to object
- Article 22: Automated individual decision-making, including profiling
Section 5: Restrictions
- Article 23: Restrictions

Of these, the rights that are most relevant in the context of video surveillance are:

The right to be informed (GDPR Articles 12 to 14 and 34)	Article 12 deals with transparency and modalities, whereas Articles 13 and 14 deal with information and access to personal data. These Articles provide the Data Subject with the ability to be informed of what personal data is collected and how long it is retained. In the VMS context, see Appendix: On-the-spot notice. Article 34 provides the Data Subject with the right to be informed in case of a data breach if it is likely to result in a high risk to the rights and freedoms of the Data Subject.
The right of access (GDPR Article 15)	This right provides the Data Subject with the ability to get access to his or her personal data that is being processed, for example, video recordings of the data subject. The Data Subject is granted the right to ask a company for information about what personal data (about him or her) is being processed and the rationale for such processing.
The right to erasure ("right to be forgotten") (GDPR Article 17)	This right provides the Data Subject with the ability to ask for the deletion of their data. In the VMS context, the erasure upon the Data Subjects' requests are exceptional due to the interests of the controller and the short retention times. (See Appendix: Video surveillance policy and Deleting video recordings partially in Appendix: The Milestone XProtect VMS system and GDPR).
The right to object (GDPR Article 21)	This right provides the Data Subject with the ability to object to the processing of their personal data. In the VMS context, other interests such as Legitimate interests (fraud detection, health and safety), Legal obligation (bookkeeping, anti-money laundry) or even contractual fulfillment (employment contracts) may override the interests and rights of the Data Subject. In all cases, this must be fully transparent so the Data Subject can know and object. If the Data Subject objects, the Data Controller must assess the objection, or otherwise he might face a fine.

For GDPR compliance in VMS systems, three rights are especially relevant: the right to be informed, the right to access, and the right to erasure.