Data Subject Rights Explained

1. What are Data Subject Rights?

The GDPR provides every Data Subject (individual) with eight rights to protect their personal data and safeguard their privacy. Therefore, when organizations process personal data – from their employees or through their business activities – they need to be able to respond to those requests.

Here’s an overview of the GDPR’s Data Subject Rights:

1.1. Right to be informed

The first right is directly linked to the principles of “fairness” and “transparency” mentioned in the GDPR. These principles state that the data subjects – the people whose personal data are processed – must be aware of the processing, and that organizations need to be open and unambiguous about this processing. This is to allow data subjects to make an informed decision about the processing of their personal data regarding specific purposes established by the organization.

The GDPR details which information must be provided to the data subjects, when personal data are being collected or as soon as possible:

  • The identity of the organization who decided on the processing, the “controller” (What is a controller), and where applicable, the contact details of its data protection officer (DPO).
  • The purposes of the processing, and its legal basis – one of the grounds set out in the GDPR allowing the processing. In case of “legitimate interest for the controller” as legal basis, this interest in question must be provided.
  • To whom the personal data may be shared with.
  • Whether or not personal data will be transferred to third countries (countries outside the European Economic Area) and, if so, which safeguards are implemented.
  • The retention period – how long the data will be kept – for the collected personal data.
  • Their different rights (see this article).
  • Their right to withdraw their consent at any time – when the legal basis is based on the data subject’s consent.
  • Their right to lodge a complaint with a Supervisory Authority.
  • Whether or not the collection of their personal data is a contractual requirement and whether they are obliged to provide them – if mandatory, they must be informed of the possible consequences of failure to comply.
  • Whether they are subject to automated decision-making and, if so, the logic behind and the possible consequences of the automation. We will discuss further on this topic in the description of their “right”.

If the personal data have not been collected directly from the data subjects, the controller must also inform them of the categories of the concerned personal data (e.g., identification data, contact details, health data, etc.) and from which sources the personal data were collected. If controllers intend to disclose personal data to other recipients, they must inform the data subjects at the latest when they first disclose it.

There is also a link with GDPR’s principle on “purpose limitation”, where the controller must also inform their data subjects when they intend to process personal data for a purpose other than that for which they were originally collected.  

However, these obligations to inform can be disregarded when the data subject already has all the information mentioned above, if the personal data is under professional secrecy, etc.

1.2. Right of access

Probably one of the most famous rights from the GDPR. While the first right was more an obligation towards organizations holding personal data from data subjects, this right of access gives data subjects direct power and control over their own personal data; it will make them able to know what is done with their data and decide what to do with this processing thanks to their other rights.

More precisely, it allows data subject to directly ask for the information detailed in the previous right, but also to ask for a copy of their own data to the controller.  

For the organizations, it means they need to be able to provide a copy of those personal data. It must be provided in a commonly used electronic form unless the data subject requested otherwise.

Handle Data Subject Rights Requests with ease

Manage your Data Subject Requests effortlessly with RESPONSUM’s, automated, and structured approach.

1.3. Right of rectification

This third right is linked with GDPR’s principle on “accuracy”. This principle states that the personal data must stay accurate during the whole processing. With this right, data subjects have the possibility to ask to the controller for a rectification of their personal data, by correcting or completing them.

This goes for objective information (e.g., the data subject’s address is not correct), but also subjective information (e.g., the level of satisfaction). In the last case, when the inaccuracy cannot be proven, it is safe to indicate that the data is opinion-based and, if it is appropriate, to accept the data subject’s request. Another good practice would be to hold the processing while the rectification request is assessed and/or executed.

It is important to highlight that this right goes further than the sole controller. Inaccuracies must be communicated to the other recipients who accessed the data subject’s inaccurate data so these recipients can also rectify it. If it is impossible or involves disproportionate effort, they must be able to inform the data subject about these recipients.

1.4. Right to be forgotten

This is probably also one of the most famous rights from the GDPR, with the right of access. Also known as the right to erasure, it allows people to ask the deletion of their own data from the controller. This right seems quite powerful, but some conditions exist. The erasure must be done without excessive and unjustified delay when requested if one of these conditions is met:

  • The personal data are no longer necessary for the purposes they were collected for.
  • The data subject withdraws his consent – if the legal basis was based on consent and no other legal basis can legitimate the processing. This right is even strengthened when the data subject is or was a child during the processing.
  • If the data subject uses his right to object the processing and that the controller’s interests do not prevail over the ones from the data subject.
  • The processing is unlawful – absence of legal basis or non-compliance with the GDPR’s principles.
  • The erasure is required to be compliant with a legal obligation.

Like the right of rectification, any accepted request for erasure must be communicated to the other recipients that have access to the data subject’s personal data. 

1.5. Right to restriction of processing

Restricting the processing is a less drastic approach than requesting erasure of personal data. With this right, the controller must “simply” stop the processing of the data subject’s personal data– except the storing. However, the GDPR establishes a list of valid reasons to exercise this right:

  • The accuracy is questioned by the data subject. The controller must assess the accuracy of the data while the processing is stopped.
  • The processing is unlawful and the data subject decides to opt for the restriction of processing instead of the erasure.
  • The personal data is no longer needed by the controller, but the data subject still needs it for legal claims.
  • The data subject objects the processing – for more info, check out 1.7. The processing is restricted while the request to object is assessed.

The lifting of the restriction can only be done either when the data subject gave his consent, the processing is needed for legal claims, it is to protect the rights of another person, or it is for important public interests. Nonetheless, the data subject must be informed when the lifting happens.

1.6. Right to data portability

The right to data portability is a bit similar to the right of access. It gives the possibility to the data subject to ask for a copy of his own data in a “structured, commonly used and machine-readable format”. The aim of this right is mainly to give the power to data subject to choose who will process his data and to easily change between different providers. At the request of the data subject, the transfer can be done directly from the controller to another provider.

However, this right can only be exercised when the data was provided by the data subject to the controller – inferred and derived data will not be covered by this right – and if the processing was based on consent or in the performance of a contract. To exercise this right, the processing must also by carried out by automated means (e.g., using a digital format).

1.7. Right to object processing

When the processing is based on legitimate interest – for the controller – or public interest, some data subjects might object the processing. It happens when the data subject does not agree with the controller if the processing is indeed legitimate or if it serves the public interest. However, it must be because of the data subject’s particular situation (i.e., for legal, ethnic, etc. reasons or simply for their own specific interests). The data subject can also exercise his right regarding research and statistical purposes, unless the processing is needed for the public interest.

When the processing is for marketing purpose, this right is absolute, meaning the controller cannot argue and must respect the data subject’s decision.

1.8. Right to not be subject to automated decision-making

Like the right to be informed, this right is more an obligation towards organizations. This time, it is for those doing automated individual decision-making processes. Data subjects have the right to not be subject to this processing when it has significant impacts, including legal effects. The processing can only occur if it is:

  • Necessary for the performance of a contract.
  • Authorized by law.
  • Authorized by the data subject through consent.

Nonetheless, suitable safeguards must be implemented to ensure the rights and freedoms and the legitimate interests of the data subject are protected.

Related Article

A Complete Guide to Data Subject Requests

2. Who do Data Subject Rights apply to?

A data subject can be anyone. For instance, if a U.S. citizen travels to Belgium and goes to a hotel, he will be able to exercise his Data Subject Rights. Any organization established in the in the European Economic Area (EEA) has to comply with the GDPR, giving to the concerned data subjects the rights provided by the GDPR. On the other hand, organizations not established in the EEA must comply with the GDPR only if they are selling goods or services to or monitor behavior of EEA citizens. That is why U.S. companies like Microsoft or Meta have to comply since they also provide services to EEA citizens. If a French person orders something on an Asian web shop where the Euro currency and European addresses are not accepted, the GDPR will this time not apply since it is not meant for EEA citizens.

Organizations have the duty to ensure individuals can exercise these rights. It goes from the designing of the processing – Data Protection by Design – to the handling of data subject requests. The GDPR allows one month to the controllers to respond to the data subjects’ requests, but it must be done without delay since an unlawful or inaccurate processing can have a huge impact for the data subject. All of this can quickly be overwhelming for unprepared organizations, but fortunately, solutions exist to help them.

Another thing worthy of being mentioned is that, as a general matter, the rights established by the GDPR are not absolute; they cannot infringe on other people’s rights (e.g., freedom of speech) or there might be other legal requirements that prevail (e.g., tax laws, national security laws, etc.).

3. What are the GDPR's Data Subject Rights based on?

Even before the General Data Protection Regulation (GDPR) existed, people had rights regarding their privacy and the protection of their personal data.  They are listed in article 7 and 8 of the Charter of fundamentals rights of the European Union.

The elaboration of a European framework for data protection did not happen all at once. It started with the simple right to privacy in the Universal Declaration of Human Rights in 1948, to more and more detailed rights from the OECD Guidelines (1980) and its “Individual Participation Principle”, the Convention 108 (1981), the Data Protection Directive (1995) and finally, the General Data Protection Regulation (GDPR) in 2016. It has been a long journey, but we have now a harmonized and successful implementation of data protection laws within the EU, allowing any data subject to enjoy his fundamental rights of privacy.  

However, laws do not do everything. It is still the duty of organizations to comply with this data protection framework and ensure sufficient protections are implemented for their data subjects’ personal data and for their rights. 

4. Conclusion

Overall, organizations must be open and unambiguous about the processes they do and the rights their data subjects have. They have an obligation to communicate those rights to the data subjects, and it must be done in a concise, transparent, intelligible way and in an easily accessible form.

Organizations must also keep in mind that they have to identify and authenticate the data subjects before responding to their request; a divulgation of personal data to a wrong or unauthorized person would constitute a data breach.

The GDPR allows one month to the controllers to respond to the data subjects’ requests, but it must be done without undue delay since an unlawful or inaccurate processing can have a huge impact for the data subject.

The provision of these rights must be free of charge, but if the data subject’s request is excessive or unjustified, the controller can ask for a reasonable fee or decline it. It is still the responsibility of the controller to justify and demonstrate its choice and inform the data subject that they can contest their decision to the Data Protection Authority.

To conclude, these rights do not give unbridled power to data subjects. They protect their rights and freedoms, as well as those of others. It is everyone’s duty to apply the GDPR’s principles and these rights in everyday activities, by first understanding them, whether as a data subject or as a controller.

Liked reading this article? Spread the word!

Get the inside scoop on simplified privacy management

Get exclusive tips ‘n tricks straight to your inbox. Join +1,100 privacy professionals already subscribed and stay ahead of the game!

Written by

Amaury André

Consultant @ CRANIUM


Copyright © RESPONSUM BV

ISO certification logo