What are the data subject rights under GDPR?
GDPR provides for a comprehensive set of rights to data subjects providing them additional control and power of their personal data.
In this article, we will look over the 8 fundamental data subject rights under GDPR and provide you with a summary of what each right represents.
Ready to learn about what are data subject rights?
Let’s get started!
Table of Contents
What are the data subject rights under GDPR?
The General Data Protection Regulation or GDPR is a comprehensive and strict regulation intended to protect the personal data of European citizens or consumers, the data subjects.
One aspect of GDPR is to impose obligations on organizations when processing a data subject’s personal data.
Another aspect of GDPR is to empower data subjects to take control and manage their own personal data.
GDPR defines 8 fundamental data subject rights to allow European consumers or individuals to take control of their personal data:
- Data subject’s right to be informed
- Data subject’s right of access
- Data subject’s right to rectification
- Data subject’s right to erasure or right to be forgotten
- Data subject’s right to restrict processing
- Data subjects right to data portability
- Data subject’s right to object
- Data subject’s right not to be subject to automated decisions
Let’s look at each of these rights in more detail.
Data subject’s right to be informed
The data subject’s right to be informed is one very important right under GDPR.
It’s also known as the right to get privacy information.
Based on this right, a person has the right to be informed as to what personal information companies are processing on a person and for what purpose.
The right to be informed is very closely linked to the GDPR principles of lawfulness, fairness and transparency.
When a company intends to collect, process and store personal information, it must provide the data subject with the following privacy information:
- Company’s name and contact details or that of its representative
- Company’s name and contact details of their data protection officer, if any
- The purpose of data processing
- Basis for processing such as lawful basis or legitimate basis
- Categories of personal data obtained
- Who will get access to personal data
- To whom will personal data be transferred
- For how long personal data retained
- Details of the data subject rights
- How to withdraw consent for processing
- How to file a complaint
- Are there automated decision-making based on personal data
Article 13 GDPR provides for the data subject’s right to be informed when a company collects personal data directly from the data subject.
Article 14 GDPR provides for the data subject’s right to be informed when a company collects personal data from a source other than the data subject.
Data subject’s right of access
The data subject’s right of access or subject access is a person’s right to obtain a copy of their personal data along with any other information concerning them in the possession of an organization.
When exercising the right of access, the data subject is entitled to receive a confirmation of what personal data is being processed by the company, obtain a copy of the personal data and get supplementary information about the company’s privacy policy and notices.
Article 15 GDPR establishes the data subject’s right of access.
Data subject’s right to rectification
The data subject’s right to rectification allows an individual to request that an organization correct the content of the data they possess on the individual.
It essentially is the right to have the personal data rectified so the company processes accurate information about a data subject.
The right to rectification is closely linked to the data protection principle of accuracy.
To satisfy this obligation, companies are required to take reasonable steps to ensure that the data they receive from a data subject or data they process is accurate and correct.
Article 16 GDPR establishes the data subject’s right to rectification.
Data subject’s right to erasure or right to be forgotten
The data subject’s right to erasure is also known as the data subject’s right to be forgotten.
The right to erasure is not an absolute right but can nonetheless be exercised by a data subject when the GDPR conditions regarding the personal data erasure are met.
An individual has the right to be forgotten when:
- The company no longer needs the personal data for the purpose initially collected
- If a company relies on consent to process data and the consent is withdrawn
- If a company relies on legitimate interests to process data and the person exercises the right to object to the process and where there are no overriding legitimate interests to continue data processing
- If data processing is for direct marketing purposes and the person objects to the personal data processing
- If the personal data processing was in violation of the law
- If the law compels you to erase the personal data
- If personal data was processed to offer information society services to a child
Article 17 GDPR provides for the data subject’s right to erasure.
Data subject’s right to restrict processing
Instead of exercising the right to erasure, data subjects can exercise their right to have their personal data processing restricted.
In other words, when a person exercises the right to restrict processing, the company holding personal data must limit the use and processing of personal data.
In most cases, the right to restrict processing is for a period of time only and when inaccurate information is found on the data subject.
Until the data is corrected, organizations will limit or restrict the processing of personal data.
Article 18 GDPR provides for the data subject’s right to restrict processing of personal data.
Data subjects right to data portability
A data subject has the right to receive a copy of their personal data in a structured, commonly used and machine-readable format so they can provide the data to another organization.
The data portability right helps reduce the dependency of consumers or individuals on a specific company or provider.
An individual can also exercise the data portability right to have a company transmit their personal data directly to another organization.
The data portability right applies when the processing of personal data is based on consent or it’s to perform the obligations of a contract with an organization or when a company carries out processing based on automated means.
Naturally, a person can obtain a copy of their personal data only.
Article 20 GDPR provides for a data subject’s right to data portability.
Data subject’s right to object
A person has the right to object to a company’s processing activities related to their personal data.
This right, similar to the right to restrict processing, is not an absolute right.
If a data subject objects to the processing of personal data, then the company must ensure that it has the proper basis to process the personal data.
A person can object to data processing in the following circumstances:
- For direct marketing purposes
- For tasks carried out in the public interest
- For tasks carried out in the exercise of an official authority assigned to a company
- If a company is processing based on its own legitimate interest
Article 21 GDPR provides for a data subject’s right to object.
Data subject’s right related to automated decisions
Individuals also have the right not to be subjected to automated decision-making.
In other words, if a company uses technology and automated means, without the intervention of a human, to process personal data and make decisions about the individual producing legal effects or impacting the person, then the individual has the right to restrict that.
In many cases, automated decision-making involves profiling an individual and making decisions about the individual based on the assembled profile.
Under GDPR, a data subject has the right not to be subjected to purely automated decision-making when such decisions produce legal effects or significantly affects the person.
Companies can use automated means of decision making in the following instances only:
- If it’s necessary to enter into a contract or perform the obligations of a contract with the data subject
- When it’s authorized by law
- When the data subject has given express or explicit consent.
Article 22 GDPR outlines the data subject’s right relating to automated decision-making including profiling.
Takeaways
In this article, we’ve look at the data subject rights relating to data protection in the context of the General Data Protection Regulation or GDPR.
GDPR defines 8 fundamental data subject rights to allow European consumers or individuals to take control of their personal data:
- Right to be informed
- Right of access
- Right to rectification
- Right to erasure or right to be forgotten
- Right to restrict processing
- Right to data portability
- Right to object
- Right not to be subject to automated decisions
GDPR empowers individuals to be able to exercise these rights against organizations forcing them to be accountable in the manner they process personal data.
On the one hand, the rights of data subjects are not absolute and, on the other hand, they cannot be ignored by companies.
The 7 GDPR principles related to data processing and the data subject rights represent the core of GDPR as it relates to the processing of personal information.