GDPR Data Subject Rights
For business and organizations seeking to comply with GDPR, understanding GDPR data subject rights is a crucial first step towards compliance.
With the introduction of GDPR as law across all EU member states, data subjects rights became more extensive, providing a greater degree of protection against how their data is used, transferred, and processed.
This article is part of our guidance on GDPR, which aims to help you understand the General Data Protection Regulations and your obligations under the law. However, while industry experts have put together our guide, it does not constitute legal advice. If you require definitive legal guidance, we suggest seeking professional legal advice or visiting the most appropriate Data Protection Authority (DPA).
On this page:
What is a Data Subject?
A data subject is any specific or identifiable individual whose personal data can be collected and processed.
The GDPR definition is, for obvious reasons, more specific, further defining a data subject as any person who can be identified, directly or indirectly, via an identifier such as a name, an ID number, location data, or via factors specific to the person’s physical, physiological, genetic, mental, economic, cultural or social identity.
What are the Data Subject’s rights under GDPR?
With the enactment of the GDPR, individuals, or data subjects, have the following rights:
1. Right to be informed
Data subjects have a right to receive clear and understandable information about who is processing their data, what data they are processing, and why they are processing it
2. Right of access
Data subjects can request access to, and receive a copy of their data, and other supplementary information an organization has about them
3. Right to rectification
Individuals can request any of their inaccurate personal data is rectified, or any incomplete information is completed
4. Right to erasure
Commonly referred to as the right to be forgotten, data subjects have the right to have personal information erased
5. Right to restrict processing
Individuals can request their personal information to be restricted or suppressed
6. Right to data portability
Data subjects have the right to obtain and reuse their data for their purposes across different services
7. Rights with regards to automated decision making including profiling
Individuals have the right not to be subject automated individual decision-making and profiling
Individual GDPR Rights
Presented below are each of the GDPR data subject rights in more detail:
Right to be informed
Data subjects have the right to clear information regarding the collection and processing of their data. To comply with GPDR, organizations must provide specific privacy information to individuals regarding:
- The organization
- The processing activities that are performed
- The duration which the data will be kept
- The rights available to data subjects in respect of processing
- The right to register a complaint
Other information may also need to be provided depending on the type of processing performed by the organization.
For instance, if an organization has obtained personal information from a third party, it will need to inform the data subject what categories of their data have been received and its source.
To be GDPR compliant, businesses must provide data subjects with privacy information:
- When they collect their personal information
- In a concise, easily accessible, intelligible and transparent way
- In direct and straightforward terms
- Without cost or fees
Further information can be found on the UK’s Data Protection Authority (DPA) ‘s, the ICO, website.
Right of access
GDPR’s right of access provides data subjects with the right to access their data held by an organization.
If requested by the data subject, an organization must provide:
- Confirmation as to whether they are processing the personal of the requesting individual
- Any other supplementary information, including any mandatory privacy data
- A copy of the personal data which they are processing
Apart from specific circumstances, organizations have to comply with a subject access request within one month of receipt. Read dealing with subject access requests to understand more about the right of access.
Right of rectification
Individuals can ask for their data to be erased or rectified if the data is inaccurate or incomplete. GDPR law provides an organization with one month to comply with such requests. More information about right to rectification here.
Right to erasure
The right to erasure, commonly referred to as the right to be forgotten, provides individuals with the right to ask for the deletion of their data, if:
- The organization has processed their data unlawfully
- Their data is no longer needed for the original purpose (and the organization has no new lawful purpose)
- The data subject withdraws their consent for processing (and no other GDPR lawful basis apply)
- The individual exercises their right to object to processing and the business is unable to override their objection
- The personal information must be deleted to comply with other EU or national law
You can learn more about the right to erasure here.
Rights to restrict processing
Data subjects can request the processing of their data to be restricted, if, for example:
- They believe their data is not accurate. In such cases the processing should stop, until the accuracy of the data can be verified
- The processing of their data is unlawful, but the data subject does not want the data deleted
- The data is no longer needed, but the data subject requires the data to exercise a legal claim
- The organization is taking steps to verify grounds to override the erasure request
If an organization received a request to restrict processing, the organization could continue to store the data. However, they will not be able to perform any processing.
If a request for rectification, erasure or restriction is made, an organization must inform any third party they share the relevant data with that the individual has exercised these rights.
Learn more about the right to restrict processing
Right to object to processing
A data subject may have a right to object to processing, where their data is processed under the lawful bases of public interest or legitimate interests. Any objection can be made verbally or in writing and has to be justified.
An organization may have to stop processing unless they can show that:
- They have compelling legitimate grounds to continue processing the data which override the interests, rights and freedoms of the individual
- The processing is required in connection with legal rights
Individuals may also object to the processing of their data for direct marketing, including profiling. With regards to direct marketing, in addition to GDPR, a data subject has rights under the ePrivacy Directive.
Read more on the right to object
Right to not be evaluated based on automated processing
Individuals have the right not to be subject to a decision based solely on automated processing, which significantly affects them, such as profiling for jobs, insurance premiums, etc.
Organizations should consider asking data subjects to consent to process their data for evaluation purposes automatically. Read more about rights related to profiling and automated decision-making
Complying with GDPR Data Subject Rights
Businesses needing to comply with GDPR should understand how these GDPR data rights work and apply.
If necessary, organizations should review and update their processes to respond to data subject requests within mandated timescales adequately.
Our GDPR compliance checklist is a useful resource for organizations wishing to comply with GDPR.