Skip to main content
Home

What rights do people have?

Contents

Latest updates - 31 March 2026

31 March 2026 - We have updated this draft guidance to reflect changes to the UK GDPR following the Data (Use and Access) Act 2025 (DUAA).

  • We’ve added content about how you can determine whether the processing you undertake falls within the scope of the UK GDPR’s article 22A provisions that relate to solely automated decisions with significant effects. We use the short-hand automated decision-making (ADM) across this guidance when we refer to this kind of processing.
  • We’ve also clarified when your ability to undertake ADM has certain restrictions and what conditions you must satisfy in these cases.
  • We’ve created a new section about the safeguards you must put in place, as well as the rights people have about the ADM that affects them.

 

In detail

What do we need to tell people and when?

You must provide people with information about your ADM activities at three key points in time:

  • When you first collect people’s information (to comply with transparency provisions and the right to be informed).
  • When people ask you for their information (to comply with the right of access (a subject access request)).
  • When you engage in ADM (to comply with ADM safeguards).

What do we need to tell people under the right to be informed?

In general, people have the right to be informed about when you collect and use their personal information. This includes your purposes for processing their personal information, your retention periods, and who you will share it with. We call this ‘privacy information’. 

The right applies when you collect that personal information from people directly, or from another source. When you obtain it from people directly, you must provide them with the privacy information at that point in time. When you obtain it from another source, you must provide the privacy information within a reasonable time period, but at the latest within one month.

In terms of ADM, articles 13 and 14 of the UK GDPR give people the right to be informed of:

  • the existence of ADM, including profiling;
  • meaningful information about the logic involved; and
  • meaningful information about the significance and envisaged consequences for the person.

If you plan to use personal information for any new purposes, you must update your privacy information and proactively bring any changes to people’s attention. 

Further reading – ICO guidance

What do we need to tell people under the right of access?

People’s right of access covers the same details about ADM that you must provide in your privacy information under the right to be informed. You must set out that ADM is taking place and include meaningful information about the logic involved and envisaged consequences. This right is triggered by a person requesting this information. You should also include information on ADM already undertaken about the person exercising their right of access.   

Where possible, you should provide remote access to a secure system that provides people with direct access to the personal information you process about them. This is also a good way for them to verify and check that the information you’re using is accurate.

Further reading – ICO guidance

What do we need to tell people under the ADM safeguards?

The UK GDPR provides safeguards that you must implement when you carry out ADM. These safeguards include proactively providing certain information to people, as well as enabling people to contest the decisions you make and request human intervention. (For more information, see the next section What are the ADM safeguards?.)

How should we deliver the information?

You must consider how to provide this information in a clear and transparent manner. This is the case whether you are providing information about ADM in a privacy notice, in response to a subject access request or proactively to someone to enable them to exercise the rest of the safeguards under article 22C.

You should not use overly-technical or complex explanations of algorithms or how code works. This is because it is likely to make it more difficult for people to understand how you reach decisions about them, and what impact those decisions may have on them.

You must provide the information in clear and plain language. At the same time, when you carry out ADM, you must make sure people understand how these decisions are made, including the factors and data considered, why you use these methods, and their likely impact on them.

You should take steps to assess whether the information may confuse people. They are unlikely to be technical experts, so you must consider how to produce information in ways that are accessible, concise and easy for them to understand. You should take into account the circumstances in which you deal with people, for example: 

  • the nature of your relationship with them, such as any power imbalance;
  • the purposes you want to make automated decisions for; or
  • their expectations.  

Where you process children’s information for ADM, you have additional responsibilities to ensure the transparency information you are required to provide is genuinely age-appropriate. Under our Children’s code, you should tailor explanations to the developmental stage of the child audience, using language, formats, and examples that they can realistically understand. This may mean offering simpler versions of explanations, using visual or interactive methods, or avoiding concepts that are too abstract for younger users to grasp. You should assess whether children can meaningfully understand the decision, the factors influencing it, and its consequences, and adjust your communication accordingly. Ensuring comprehensible, age-appropriate information is essential for safeguarding children’s rights and supporting their ability to exercise control over their information.

You should focus on descriptions that include:

  • the type of information you collect or use in carrying out ADM, including profiling;
  • why this information is relevant or how it influences the decision;
  • how this information is processed; and
  • what the likely impact is (ie how it may affect them).

Example

An online retailer uses ADM to determine whether to offer credit terms for purchases. The categories of personal information it uses for this purpose include any previous purchase history with the same retailer and information held by credit reference agencies. This process produces a credit score for a specific person.

The retailer explains this in the privacy information it provides to people when they sign up to the service and the retailer first starts collecting personal information. 

It includes a high-level summary that clearly and simply says it will analyse information about past behaviour, account transaction history, and perform a soft credit check to decide whether or not it will offer them credit (or the terms of the credit). It also includes a link to more detailed information for those that need it.

As people continue to use the service and make purchases, the retailer uses just-in-time notifications to inform them in context, about how it will use specific purchase information to calculate credit terms. You should deliver privacy information in the same way as when you first collect personal information. For example, if you collect personal information in an online form, you should deliver the privacy information on the same page or have a prominent link to it.

You could also create a dedicated and easy-to-find space in your app or site for people to:

  • find out how you use their personal information;
  • access the information you hold on them (including details of any profiles and the data input into them); and
  • manage what happens with it. 

Further reading – ICO guidance

Age appropriate design: a code of practice for online services

Other resources

Harmful design in digital markets