What are the Data Subject Rights under the GDPR?

Even though the EU General Data Protection Regulation (GDPR) is now in effect, many organisations are still working towards compliance. That’s certainly not the end of the world, but organisations will run into serious problems if they aren’t equipped to deal with data subject rights.

The GDPR gives individuals eight rights relating to their personal data. Organisations must let individuals know how they can exercise these rights, and meet requests promptly. Failure to do so is a violation of the GDPR and could lead to disciplinary action.

The eight rights are:

  1. The right to be informed

Organisations need to tell individuals what data is being collected, how it’s being used, how long it will be kept and whether it will be shared with any third parties. This information must be communicated concisely and in plain language.

  1. The right of access

Individuals can submit subject access requests, which oblige organisations to provide a copy of any personal data they hold concerning the individual. Organisations have one month to produce this information, although there are exceptions for requests that are manifestly unfounded, repetitive or excessive.

  1. The right to rectification

If an individual discovers that the information an organisation holds on them is inaccurate or incomplete, they can request that it be updated. As with the right of access, organisations have one month to do this, and the same exceptions apply.

  1. The right to erasure

Individuals can request that organisations erase their data in certain circumstances, such as when the data is no longer necessary, the data was unlawfully processed or it no longer meets the lawful ground for which it was collected. This includes instances where the individual withdraws consent.

The right to erasure is also known as ‘the right to be forgotten’.

  1. The right to restrict processing

Individuals can request that an organisation limits the way it uses personal data. It’s an alternative to requesting the erasure of data, and might be used when an individual contests the accuracy of their personal data or when they no longer need the information but the organisation requires it to establish, exercise or defend a legal claim.

  1. The right to data portability

Individuals are permitted to obtain and reuse their personal data for their own purposes across different services. This right only applies to personal data that an individual has provided to data controllers by way of a contract or consent.

  1. The right to object

Individuals can object to the processing of personal data that is collected on the grounds of legitimate interests or the performance of a task in the interest/exercise of official authority. Organisations must stop processing information unless they can demonstrate compelling legitimate grounds for the processing that overrides the interests, rights and freedoms of the individual or if the processing is for the establishment or exercise of defence of legal claims.

  1. Rights related to automated decision making including profiling

The GDPR includes provisions for decisions made with no human involvement, such as profiling, which uses personal data to make calculated assumptions about individuals. There are strict rules about this kind of processing, and individuals are permitted to challenge and request a review of the processing if they believe the rules aren’t being followed.

Become a GDPR expert

Although some of these rights were present in the GDPR’s predecessor, the Data Protection Act 1998, the Regulation has significantly strengthened the rules around them, and organisations need to plan accordingly. One of the most important steps is to educate employees on how to comply with requests lawfully. This requires a well-rounded knowledge of the GDPR and the other ways it affects organisations and data subjects.

Those who want to learn more about data subject rights and the GDPR’s other requirements should consider enrolling on our Certified EU GDPR Foundation and Practitioner Combination Course.

This five-day course provides a comprehensive overview of the GDPR and gives practical advice on planning, implementing and maintaining a GDPR compliance programme. Delivered by an experienced data protection practitioner, it’s ideal for both managers who are already involved in data protection and individuals who want to get started in the field.

You might also be interested in our EU GDPR Documentation Toolkit, which includes templates to help you comply with data subject access requests, as well as other policies and procedures.