Articles

What are Data Subject Rights Under the GDPR?

Written by Osano Staff | January 27, 2023

When it comes to data subject rights and freedoms, most companies focus on the right to access, modify, and delete data. But did you know there are actually eight rights under General Data Protection Regulation of the EU that give users control over their personal data and how it's used? Additionally, guidance from the European Data Protection Board (EDPB) provides further clarity on the interpretation and application of these rights under the data protection law.

In this article, we’ll examine the GDPR rights of data subjects, what they require, and how to comply with them.

What are the GDPR Data Subject Rights?

1. The right to be informed

Articles 12 to 14 of the GDPR discuss data subject rights to know that you’ve collected and intend to process personal data. If you collect the data yourself, you must notify the data subject immediately.

Third-party vendors who obtain data from another data controller have a longer timeframe to notify the data subject. The law specifies that you need to act within a “reasonable period of time” but no later than 30 days.

Whether you collect data directly or indirectly, the notification sent to the data subject must be easily accessible.

2. The right of access

The data subject’s right to access their personal data is described in Article 15. In short, data subjects have a right to know:

  • If you have any of their personal data.
  • The purpose of the processing of personal data.
  • The categories of personal data.
  • How you process the data.
  • If you share data with any third parties.

Data subjects can send a data subject access request (DSAR), through which they may request a copy of all their personal data. A good DSAR mechanism is essential to ensure you’ll comply with their request promptly.

Note that although individuals commonly make DSARs to access their data, it has become the industry standard to refer to any request to exercise a data privacy right as a DSAR.

Although access requests are the most common, the GDPR requires you to respond to any DSAR within 30 days, unless the request is particularly complex, which allows you to extend that timeline for another 30 days.

You can also reject DSARs, but only if the requests are “excessive or unfounded.” The EDPB provides guidance on what constitutes “excessive or unfounded” requests, which is crucial for managing data subject’s requests. Examples include repeated requests in a short period, or requests that are clearly meant as harassment. In either case, the burden of proving that a request is excessive or unfounded falls on you, so you should be careful when rejecting a DSAR request.

3. The right to rectification of personal information

Detailed in Article 16, the right to rectification means data subjects can request the modification of any incorrect, outdated, or incomplete information. When such a request is made, the data controller must promptly correct the inaccuracies in the personal data to ensure that it accurately reflects the subject's situation.

This right is particularly important in contexts where inaccurate data could adversely affect the rights and freedoms of the data subject, such as decisions based solely on automated processing or where the data is necessary for the performance of a contract.

Ensuring that personal data is accurate and up-to-date complies with GDPR and upholds the broader principles of data privacy law by protecting the individual's fundamental rights.

4. The right to erasure (the right to be forgotten)

According to Article 17 of the GDPR, data subjects have the right to request their personal data be deleted. For the request to be valid, at least one of the following conditions must be met:

  • The data is outdated.
  • The data subject withdraws their consent.
  • The original purpose for obtaining the data and processing has been satisfied.
  • The processing of the data was unlawful.
  • The data subject objects to the processing of their data and there are no legal grounds for processing.

If any of these situations apply, you must delete the person’s data within 30 days of receiving their request. Additionally, this right helps protect the rights and freedoms of others, ensuring that personal data is not processed unnecessarily or without proper legal basis.

Furthermore, this right complements the right not to be subject to a decision based solely on automated processing, safeguarding individuals from actions that could affect them significantly without human intervention.

5. The right to restrict processing

Article 18 gives data subjects the right to restrict the processing of their personal data. This is not the same as the right to erasure—here, you can still store the data. The right to restriction applies in certain situations, including:

  • The data subject contests the accuracy of the data,
  • The processing is unlawful, but the data subject doesn’t want their data to be erased.
  • The controller no longer needs the data, but the data subject doesn’t want their data to be deleted.
  • The data subject has objected to the processing of their data in accordance with Article 21 (see the section on “The right to object”).

As with other data subject requests, you have 30 days to respond when a restriction of processing is requested.

6. The right to data portability

According to Article 20 of the GDPR, data subjects have the right to move their data from one platform/controller to another with ease. As a controller, you need to provide their data in a machine-readable format.

If a data subject makes an access request, you can’t just give them their data in multiple complex formats—it needs to be a common format that can be accessed reasonably easily.

7. The right to object to processing

Data subjects have the right to object to how their personal data is used for sales, marketing, or other non-service-related purposes according to Article 21, including the exercise of these rights. There are exemptions, but you need to prove you have legitimate grounds to continue processing the data.

For instance, if the processing is needed to carry out a task for public benefit, objecting is not permitted. Similarly, if the controller needs to process the data to provide the data subject with a service they signed up for, an objection isn’t possible.

8. The right to object to automated data processing and profiling

The eighth right, found in Article 23, refers to automated data processing and profiling. Data subjects can say no to any automated decision-making, including profiling.

In fact, automated data processing, including profiling, is only allowed in three cases:

  • If it is needed as part of a contract.
  • If it is authorized by a Union or Member State law.
  • If the data subject gives their explicit consent.

The bottom line

GDPR rights of data subject aim to achieve the regulation's main goal: to give people power over their personal data.

Data subjects need to know exactly why, when, how, and for how long you’ll be processing their data. They can withdraw consent at any time, request modification or even erasure, and move their data to a different controller.

DSARs are how data subjects can exercise most of these rights, and you need to respond quickly each time you receive one. Sometimes, however, it can be easy to lose track of the requests you receive or to find all the necessary data.

Osano’s DSAR solution can take some of that load off of your shoulders. It will support you in keeping track of data subject requests, responses, and even data management. Request a demo to walk through Osano’s DSAR capabilities with an expert.