Search
Close this search box.
AI-based solution designed to automate personal data discovery and classification
Discover personal data across multiple systems in the cloud or on-premise
Turn data subjects request into an automated workflow with a clear insight into data every step of the way
Collaborate with stakeholders and manage DPIA and LIA in real-time with Assessment Automation
Privacy portal allows customers to communicate their requests and preferences at any time
Introducing end-to end automation of personal data removal

Latest Blog posts

Learn the terms

General Data Protection Regulation

Here you can find the official content of the Regulation (EU) 2016/679 (General Data Protection Regulation) in the current version. All Articles of the GDPR are linked with suitable recitals.

Latest papers

What are 8 Data Subject rights according to the GDPR

Data Subject Rights-GDPR

The eight data subject rights established by GDPR aim to empower individuals, enhance privacy protections, and ensure transparency and control over their personal data in the digital landscape.

While some rights were already introduced through the earlier legislature (like the right to access) and further enhanced, some rights are novelties unique to the GDPR – like data portability.

The eight data subject rights are:eight data subject rights

1. Right to be informed

The right to information allows individuals (data subjects) to know what personal data is collected about them, why, who is collecting data, for how long, how they can file a complaint, and if there is data sharing involved.

To be more precise, the organization (data controller) is obligated to provide information about:

  • Controller’s information and contact details
  • Purpose of data processing
  • Legal basis for personal data processing
  • Third party details
  • Data retention period
  • Rights granted to the data subject under the data protection law
  • Right to file a complaint
  • Whether the provision of personal data is a statutory or contractual requirement
  • Whether the individual is obligated to provide the personal data

All of this information should be conveyed using straightforward and easily understandable language.

Right to be informed

2. Right of access

Individuals have a right to submit access requests and attain information from the organization about whether their personal information is being processed.

The organization is then obligated to provide a copy of personal data they have about the individual and additional information, including:

  • The purpose of the processing
  • What categories of personal data are they processing
  • With whom the data is shared (third countries or international organizations)
  • How long will the organization keep the data (data retention period)
  • Information about their GDPR rights (right to rectification, right to erasure, restriction of processing…)
  • Information about automated decision-making, including profiling
  • Source of collected data (if the data is not collected from the individual)

[RELATED TOPIC: What is Data Subject Access Request (DSAR)?]

Explore the details of the information you need to provide in a DSAR response, understand the timeframe for responding to DSARs, and discover the circumstances under which you can decline to respond to a DSAR.

Right of access

3. Right to rectification

The right to rectification allows the individuals to ask the organization to update any inaccurate or incomplete data they have on them.

If the organization confirms the data is inaccurate, the legal deadline to respond to a request is one month. Upon the request, the organization should ensure that the data is indeed inaccurate and rectify it.

This right sets new operational challenges for organizations since rectifying one data set can have broader consequences on the entire database.

Right to rectification

4. Right to be forgotten

The right to be forgotten is also known as the right to erasure. This right allows individuals to ask for their personal data to be deleted if:

  • Personal data is no longer necessary
  • Individual withdraws consent
  • Personal data is unlawfully processed
  • Individual objects to the processing, and the data controller has no reason to continue processing
  • Data erasure is necessary for compliance with a legal obligation (EU law or national law)

The organization must inform any third parties that received the shared data and ask them to delete it unless it can prove that the request would require a disproportionate effort or would be impossible.

This means organizations are now facing a new challenge- notification of third parties.

For those sharing data with many external partners, meeting this requirement means setting up new procedures and notification systems, making compliance more complex.

Right to be forgotten

5. Right to restrict processing

Individuals can request that an organization limit how it uses its personal data, although the organization is not automatically required to delete it.

However, they have to refrain from processing in certain situations:

  • Data is inaccurate (during the verification process)
  • Processing is unlawful, but the individual does not want the data to be erased and requests restriction (which is different from the right to be erased)
  • The organization no longer needs data, but the individual wants the data to be preserved so the legal claim can be exercised
  • The organization is taking measures to verify the data erasure request

Once the data is restricted, the organization is not allowed to process it unless they have consent; they need it for legal claims or to protect the rights of other individuals.

Right to restrict processing

6. Right to data portability

Data portability is one of the novelties among data subject rights. It allows individuals to obtain personal data they have previously provided to the organization in a structured, commonly used, and machine-readable format.

Individuals can also request that their data be transferred directly to another organization.

However, it can only be applied to the data that an individual has provided to the organization by consent or contract and if the processing is automated.

This also applies to data related to the individual’s behavior and may include search inquiries, location data, website history, and more.

Right to data portability

7. Right to object to processing

The right to object allows individuals to object to processing personal data at any time, in certain situations, and it will depend on the purpose of processing and the lawful base for processing.

Individuals can also object to data processing based on legitimate interests or tasks in the public interest.

Right to object to processing

8. Rights in relation to automated decision-making and profiling

The GDPR introduced strict rules when it comes to the processing of personal data that is done without human involvement.

This encompasses different types of profiling, such as assessing individual performance at work, economic status, health, personal preferences, interests, reliability, behavior, or location, if it produces a legal effect that significantly affects them.

However, it will not apply if the processing is necessary for the performance of a contract, if it is authorized by the law, or if the processing is based on explicit consent. 

Right to data portability

Violation of data subject rights

Any violation of data subject rights provokes the highest penalties under the GDPR, up to €20 million euros, or up to 4 % of their total global turnover of the preceding fiscal year, whichever is higher.

This represents a real risk for the organization, both financially and reputationally, since the operationalization of the data subject rights remains one of the compliance challenges.

Operationalization of data subject rights

When you collect and process personal data in large quantities, the automation of the process is the key. Privacy solutions such as Data Privacy Manager serve as a platform for orchestrating and managing data subject rights.

 

It automates the entire process so that the IT systems where the data is stored can execute user requests timely. The process becomes an automated workflow with clear insight into the process.

From the registration of the request, through the process of the request approval and data processing, to the notification of the data subject about the outcome of the request.

Most importantly, the Data Privacy Manager represents one central place for the supervision of requests and provides DPO with all the information necessary for managing data subject requests within the limits of the response date.

Request a Data Privacy Manager demo

Let us navigate you through the Data Privacy Manager solution and showcase functionalities that will help you overcome your compliance challenges.

Scroll to Top